New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Besides reselling of many hosts, is 4vps related to this a.k.a pq/thehosting? If yes any info about that?
In the case of Maxided, owner was arrested at the same time the server was seized. PQ hosting is not, so I think the physical location of the owner is in Transnistria or Russia.
Recently, they separated brand only for Russian businesses(UFO hosting).
Source that WorkTitans captures everything? The only information I have is that Stark Industries partnered with Team Cymru to try to track a botnet. That's bad because Team Cymru will resell the data, but do you have solid reasoning that they capture everything, not just NetFlow records?
PQ is the same company, THE.hosting just rebranded and btw. found the domain here on LET, I let it expire, too bad, would made a good business, now it is burned.
No direct proof for now, Team Cymru had bought enough metadata to rebuild the flows with that and targeting
So why you still believe in them after all this reports?
They rebranded like four times in one year, this report gives good insight and showing how they act and what else does this involve.
Made a quick visual map - https://www.perplexity.ai/computer/a/2c11116e-72a8-544e-90d6-f178345d11e2
The key insight is AS401690's invisible-but-present design: Cymru deliberately keeps its collection ASN off the public BGP table while registering at IXPs. This means:
Any provider peering privately with AS401690 at an IXP would never show up in public BGP data
This is structurally why tracing the PQ.Hosting → Cymru link via public BGP tools alone is impossible — the collection endpoint is designed to be invisible
The 700+ claimed partner feeds likely flow into AS401690 (the dark collection ASN), not AS23028 (the public-facing research/operations ASN)
Bottom line: Public BGP monitoring tools confirm Team Cymru runs a deliberately opaque two-ASN architecture — one public (AS23028, upstreamed via NTT/Zayo/GTT/HE/EdgeUno), and one dark/passive (AS401690, invisible to public routing tables but registered at IXPs).
This makes it structurally impossible to prove or disprove PQ.Hosting's involvement using only public BGP data.
The only way to confirm would be a direct investigation like Windscribe ran on Tzulo.
The open peering policy on AS401690 at 14 global IXPs is the key mechanism. Cymru doesn't need to sign contracts or negotiate — any ISP or hosting provider co-located at AMS-IX, DE-CIX, or LINX can establish a BGP session with AS401690 and begin exporting flow records privately. PQ.Hosting's upstream providers are physically co-located at multiple of these same IXPs (AMS-IX and DE-CIX are standard for any European transit provider). The connection is entirely plausible — but because it's a private BGP session at the IXP layer, it leaves no public BGP footprint, which is exactly why no tool can confirm or deny it.
14 IXP presence points globally — all with open peering policy, no ratio requirement, no contract requirement. This means any network at these IXPs can peer privately with AS401690, with zero friction and zero public trace. The ASN originates no prefixes — it only receives. That's the architecture of a passive collection tap.
https://www.peeringdb.com/net/39768
Prepared using Claude Sonnet 4.6 Thinking
https://www.augursecurity.com/post/european-union-sanctions-force-stark-industries-solutions-ltd-to-rebrand-again
"The financially motivated group FIN7 deployed Stark-based servers for phishing operations and malware distribution. Ransomware operators, including LockBit and Conti, relied on Stark’s bulletproof VPS hosting for staging payloads, running command-and-control nodes, and exfiltrating stolen data."
Infrastructure Rebranding
Autonomous System Numbers (ASNs) associated with the Neculitis reflect a consistent pattern of rebranding and obfuscation, often used to evade scrutiny and takedown efforts. This evolution began with AS43624, known as PQ Hosting, which operated primarily out of Moldova and the breakaway region of Transnistria. PQ Hosting was widely known for offering bulletproof hosting services, resilient infrastructure often used by cybercriminals and state-aligned threat actors due to its resistance to takedown requests.
PQ Hosting (AS43624), another infrastructure node linked to the Neculiti network, was also used by APT28 (AKA Fancy Bear) for espionage activities. Ransomware gangs like REvil and DarkSide used PQ’s infrastructure to host negotiation portals and payload servers, suggesting a shared or overlapping ecosystem.
Augur Data confirming public data
Our preemptive data shows that AS44477 (Stark Industries Solutions) has predominantly hosted sophisticated Russian cyber actors and malware families. This highlights the central role this infrastructure has played in enabling pro-Russian cyber activity targeting Europe, Ukraine, and other regions. Russian-aligned threat groups, including Sandworm, APT28 (also known as Fancy Bear), and cybercriminal groups such as FIN7, Conti, and LockBit, have leveraged malware like Qakbot, IcedID, and Ursnif, often delivered through loaders like PrivateLoader and DarkGate. These were supported by post-exploitation frameworks, such as Cobalt Strike and Sliver, which facilitated long-term access and the deployment of ransomware. Pro-Russian hacktivist groups, such as NoName057(16), also relied on AS44477 infrastructure to conduct Distributed Denial-of-Service (DDoS) attacks and propagate influence operations, thereby reinforcing Russia’s hybrid warfare objectives.
What Perplexity says:
Team Cymru openly states it has 700+ partner ISPs and hosting providers feeding its netflow dataset, claiming to process 300+ billion daily IP-to-IP flow records. The data originates from upstream providers, not typically the end resellers — meaning even a privacy-focused host may unknowingly pass netflow up the chain to a Cymru partner.
Why PQ.Hosting Is Suspected (But Unconfirmed)
The suspicion toward PQ.Hosting likely stems from the same logic:
A researcher compiled a GitHub list (beescuit/netflow-data) of ISPs suspected of sharing netflow with Cymru, based on BGP peering and upstream relationships, but explicitly notes the list "might be inaccurate".
PQ.Hosting operates across many jurisdictions with various upstream transit providers — any one of those upstreams could theoretically be a Cymru partner without PQ.Hosting's explicit knowledge or consent.
https://www.twipla.com/en/blog/how-the-augury-platform-captures-email-and-internet-data
The Augury platform gives access to “petabytes” of data both current and historical.
Augury also includes "netflow data," which paints a picture of the volume and flow of traffic within a network. This information may normally only be accessible to the server owner or the ISP delivering the traffic, and it may include which servers communicated to another.
The server they are finally connected from can be seen by tracking the traffic through virtual private networks using that netflow data.
ISPs offer Team Cymru this netflow data in exchange for information. Without the consumers of the ISPs' knowledge, that data transfer is most certainly taking place.
The users almost definitely don't know that Team Cymru receives their data and then buys access to it. It is unclear how they acquire the PCAP and other more sensitive data, including whether it comes from ISPs or some other source.
https://www.volkskrant.nl/binnenland/how-a-consultant-and-a-concert-pianist-from-the-netherlands-aided-pro-russian-hackers~b60acffb/
A confidential technical overview, seen by de Volkskrant and Denmark's public broadcaster DR, shows the networks most used in pro-Russian attacks on Danish government bodies. Between 13 and 19 November 2025 this was the infrastructure of two companies: the Enschede-based WorkTitans, owned by organizational consultant Youssef Z., and Mirhosting of Almere, owned by concert pianist Andrey N.
Stark was no ordinary customer, as Rasmus would quickly discover. It evidently had strong Russian connections. Shortly after Stark began renting physical space at Rasmus's facility for Mirhosting's servers, the Dane started receiving anonymous email threats linked to his new customer. Pro-Ukrainian hackers had suddenly come after him too.
https://community.ipfire.org/t/mass-netflow-data-collection-with-90-of-traffic-visibility/8701
https://discuss.privacyguides.net/t/some-information-on-netflow-data-collection-team-cymru/36478
https://apps.db.ripe.net/db-web-ui/query?searchtext=ORG-PHS8-RIPE
org-name: WEISS HOSTING GROUP S.R.L.
mnt-by: PQHS-MNT
last-modified: 2026-05-13T07:40:02Z
now inactive ASN:
http://viewip.net/asn/AS44774/
Name STARK
greets to pq, I just asked for a 4USD refund, now you got this
_Just got this from The.Hosting:
_
**IMPORTANT: Notice of Service Discontinuation and Account Closure
**
Dear Customer,
We are writing to inform you that due to unforeseen and unavoidable force majeure circumstances, THE.Hosting is forced to permanently discontinue all its operational services and wind down its activities.
As a result, our platform, support channels, and all associated services will be closed in the coming days.
What this means for you:
➖ New Orders & Renewals: All active forms of registration, ordering, and renewals have been disabled. No new services can be purchased.
➖ Data & Accounts: If you have any active data, configurations, or account details stored within our systems, we urgently advise you to retrieve and back up your information immediately.
➖ Final Termination: Once the wind-down process is completed, all accounts and data will be permanently deleted from our systems.
We deeply regret that we are forced to take this step and understand the inconvenience this causes. We want to thank you sincerely for your partnership and trust in THE.Hosting over the past period.
Sincerely,
The Management of THE.Hosting