New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Aurologic accused of being a major actor in enabling cybercrime
This discussion has been closed.
Comments
BTW, Spamhaus is an organized crime extortion racket. This was proved when they noticed some spam from a company called CyberBunker (now defunct). SpamHaus went to CyberBunker's upstream's upstream's upstream, and told them to blackhole CyberBunker.
That upstream (A2B Internet) said: why would we? You should go talk to CyberBunker first. In response to this, SpamHaus immediately blackholed all of A2B. SpamHaus never tried to resolve this with the end customer, or with CyberBunker, or any other intermediary.
A2B filed a criminal police complaint for extortion. Sadly it seems the verdict isn't public information.
So far his walls of text have been right, except for the part where he blames the left "activists" for everything and wants to kill them.
There are proper legal procedures for a reason. You can't just bypass them and get some company banned off the internet, or we'd have no internet left because everyone would always be reporting everyone to everyone.
Obviously the providers that insist on proper procedure will end up with more of the clients that got kicked off other providers - and will charge a higher price for it. If you think a crime was committed, report it to the police.
Are you trying to portray the company that had an MDMA lab in the data center as the victim?
I'm neither an activist nor a leftist so he was wrong about that as well, and I should know because I'm me
Emgh was accused of being leftist activist by reputable banned LET members
And this is precisely the point, this way of doing business will cause me and others to not find the business serious, and just like they have the right to serve this clientele, I have the right to voice that I don't agree with the the way of doing business.
Plenty of people will choose them as a provider because they act like this, but plenty also won't, some will actively avoid them because of it. They have this right.
The point of this thread was never to say "Aurologic is doing something illegal" it's to say "Aurologic might be doing xyz, if you're fine with the accusations and their way of doing business, use them, if you're not, consider not using them".
I'd like to know about all these things if I were looking for a new host for my business stuff as I wouldn't want to associate with a business like this. That doesn't make me an activist, it's just about being strategic.
Hi, ex-CyberBunker employee here.
You're mostly right, but I do need to add that Spamhaus wasn’t entirely in the wrong here. At the time, we were still strictly following our "no matter what" policy. There literally wasn't anyone checking abuse emails for a long time. There's definitely room for argument, but the fact is, our network back then was primarily used by criminals, botnets, phishing and spam operations, and a whole bunch of other shady activities.
I still don't like Spamhaus, but at that point, what they did wasn’t wrong.
The real issue with Spamhaus came later in the story.
At some point, we tried to transition to a cleaner business model. We started by kicking out any problematic customers, phishing, spam, botnets, and all that kind of stuff. If we received an abuse report for one of those activities, the IP was blocked until the issue was resolved. We were still lenient, sure, but I wouldn't say we were a "bulletproof" provider anymore. Then we tried to start a new company, get certifications for the data center, target new business customers, and slowly phase out the CyberBunker clients.
Unfortunately, Spamhaus blocked any new company or subnet almost immediately after we got it. We hadn’t even announced the IPs yet; it was just because they were linked to Xennt or people working with us. This made it nearly impossible to target new types of customers and move away from CyberBunker. We even reached out directly to Steve Linford, explaining our situation and our interest to clean things up. His response was that we would be removed from the ROSKO and DROP lists if we didn’t receive a single abuse report for 24 months. Which, frankly, is an impossible target, even for regular providers. Something always happens, even if it's just a customer getting hacked.
I don’t want to place all the blame on Spamhaus, but we definitely felt trapped. We wanted to move away from CyberBunker and its reputation, but Spamhaus would target anything we did the second they saw it, which made it extremely difficult.
I wish I could share a more interesting story here, but in this case, we were.
The storage rooms were rented out to other people. We had a few rooms available for rent to help cover some of the operational costs of the bunker.
But well, that’s all from decades ago now 🤷
This thread gets spicier the more I read
Did you ever have a quick taste of the MDMA just to make sure your bunker wasn't used to produce low quality drugs?
On a serious note, great little story. You've have had an interesting career for sure
I don't agree with everything you did but I don't think you do either so whatever, right
I guess we all did stupid things when we were young.
But yeah, a lot of things were really messed up, and I do wish we had done things differently.
Hm… if you want me to spice things up while staying on topic, I should probably mention that at one point, CyberBunker asked aurologic (combahton back then) for transit and colocation, and we actually got an offer from them too.
If the raid had happened just a few months later, CyberBunker would have ended up being an Aurologic customer as well.
But to be fair here, I need to add that it was somewhat early in the existence of combahton I believe, and at this stage we cleaned up our network already (as far as possible from abuse reports alone)
Can confirm.
Can't undo but you can change
But to be fair here, I need to add that it was somewhat early in the existence of combahton I believe, and at this stage we cleaned up our network already (as far as possible from abuse reports alone)
Hey folks, I built a small visualization tool that maps active C2 / malware-infrastructure within an ASN, its down / upstreams and peers, based on open-source threat intel. Here’s the result of a scan on AS30823 (Aurologic GmbH), showing only ASNs with recorded malicious indicators:
Data sources:
MalwareBazaar, ThreatFox, Feodo Tracker, URLhaus, Blocklist.de, Emerging Threats
What the map represents:
Red = ASN with ≥1 active IOC in the OSINT feeds
Edges = upstream/downstream relationships (AS Peering DB + routing data)
Only ASNs with recorded IOCs appear Clean ASNs are filtered out
Total checked: 269 ASNs | Compromised found: 47
This is purely a research visualization based on public threat intel, not a claim that any provider is intentionally facilitating abuse.
Lines represent upstream/downstream ASN relationships
This is purely a research visualization, not a claim of wrongdoing.
link to tool
Sure, I’ll share it. I’m cleaning it up right now and I expect to release it on GitHub later today or, more realistically, tomorrow.
If you want a report for a specific ASN in the meantime, just let me know.
Would be great to have some other ASN just so people have something to compare things with.
Maybe AS34549 would be a comparable network (same location, roughly same amount of downstreams).
(emphasis mine)
47 out of 269 is less than 15%, yet the image makes Aurologic / @jh_aurologic look like having/serving only red ~ evil ASNs.
What
What, 47 out of 269 downstreams / peers is 17,4 percent. The visualization highlights only the ASNs that currently have active C2 or malware infrastructure reported in public OSINT feeds, so the graphic naturally focuses on the “red” ones instead of showing all 269.
It’s not meant to imply that Aurologic is serving only malicious networks. It just visualizes the subset of downstreams /peers that appear in multiple threat intel sources at this moment.
Hi Jsg, great contribution as always to this forum, slight issue with your math though
47 out of 269 is 17.47%, which is higher than 15%
You can use this website to calculate percentages better
https://www.calculator.net/percent-calculator.html?c22par1=47&c22par2=269&ctype=22&x=Calculate#pctcommon
I even did it for you, so you should see the result right away
My bad, 17.4% is correct - and way below 20%.
Then maybe at the very least also show some image visualizing both in total, like e.g. a circle representing all ASN and a segment of "red" ones.
Yes, this is correct. 17,4 is less than 20 but more than 15. In order they’d go like this, from lowest to highest:
1. 15
2. 17,4
3. 20
I hope this may clear up any further confusion on the matter.
@jsg However, 17,47 rounded to closest decimal point would be 17,5 and not 17,4
Not sure if we should start a discussion about what is more or less a rounding error.
However, I think the chart would be more helpful if we reduce the depth.
Aurologic provides transit to 45 providers, and not 269. it just needs one bigger "good" or "bad" downstream to make this whole percentage somewhat meaningless.
Also not entirely sure how we reached 269 here?
bgp.tools is only aware of 95 networks that are downstream of aurologic
https://bgp.tools/cone/30823
Another chance at trying out percentage calculation folks
Let’s see if we learned anything
That's the case because I checked peers and downstreams up to a depth of 3, which means 47 ASNs, either direct or indirect customers of Aurologic, have active malware/C2 indicators.
The problem isn't they blocked you. The problem is they went to your upstream's upstream's upstream and blocked them unless they complied with an obviously insane demand. No single org should have the power to kick anyone off the whole internet, but if they do get such power, using it like that is criminally illegal. I am disappointed it doesn't seem anyone at Spamhaus got jail time.
Don't undersell it. This is literally mafia tactics. Spamhaus are literally internet mafia - wouldn't it be such a shame if something just happened to that nice network of yours?
To be fair I think operating something like Spamhaus is incredibly hard and you probably lose patience with people after awhile
For everyone saying they’ve changed and mean it there’s probably 10 saying they’ve changed without meaning it
Excuse my ignorance because I am new in the forum but why target Aurologic here? They do not host anything If I understood correctly and this is like asking ISP providers why are you giving internet access to certain individuals I don't like.
As long as they are complying with law enforcements and not breaching any laws whats the issue here?
Like Init7 and RETN who actually signed a contract and supplied you with actual connectivity. We did not, you got a offer back in 2019 telling me how clean your network is. We dont know what is going on there, especially not the so often mentioned stories about darknet marketplaces operating on tor. Thats something only law enforcement can know legally.
The CrazyRDP story here is different, there was multiple Tier-2 and even some other LET providers present actually serving the ASN as downstream over the past 12 months. You dont see from the outside that this ASN is actually used by CrazyRDP, you see Sovy Cloud Services. Same issue here with the fact that we dont see whats actually behind or running there.
Being accused that we know whats going on with every downstream is senseless and rather naive, especially when your network capacity is well above multiple terabit. I‘d bet that every VPS provider has a certain amount of IOCs, this can happen at scale and doesnt make you support them as network operator
Feel free to report such as abuse complaint, from my point of view the discussion is not quite productive.
At this time, most of our network, or at least the majority of our servers, had IPs operating directly under the A2B network.
We were a customer of A2B, but in the BGP sense, we were not a downstream.
The issue with A2B arose when Spamhaus started blocking larger parts of the A2B network, rather than just the individual IPs assigned to us, which obviously affected other A2B customers as well.
After this, we migrated our services to our own network, so A2B is no longer affected.
However, I still support targeting the upstream provider if the provider does not respond to anything.
A provider should not be untouchable simply because they ignore your emails.
Sure, you could say this is the role of law enforcement, but on an international thing like the internet, there are plenty of jurisdictions that can make a provider effectively untouchable.
Again, I don't like Spamhaus. I'm honestly not a fan of blocklists in general.
But I can't blame them. As a blocklist operator, they are within their rights to block entire providers if they believe a significant amount of traffic originating from those providers is “bad.”
I wish they had been less aggressive toward us and had given us a chance to improve.
But from their perspective, their main goal is to block anything that could be malicious, so I can understand why they don't really have any interest in helping us.
Spamhaus is not some kind of magic internet police. They don't have any real power on their own.
All they can do is put you on a list and send you an annoying email now and then. Their “power” comes from the fact that many people trust their decisions and build filters based on their blocklists.
I do think Spamhaus is quite non-transparent. It’s often unclear why an IP ends up on one of their lists.
But I don’t believe they act maliciously.
Still, I wish people would choose their blocklists more consciously.
Spamhaus is often just the default in many mail and spam-filter suites.