Bulletproof hosting: which ASNs are red flags
"Bulletproof" hosting means a provider that ignores abuse complaints. In practice: an ASN that hosts large amounts of malware C2, spam relays, phishing, or carding infrastructure and doesn't respond to takedown requests. They thrive in jurisdictions where local law doesn't match Western abuse norms.
If your domain resolves to an IP inside one of these ASNs, you have a problem. Either
(a) you're being hosted by one inadvertently — happens with low-cost VPS resellers — or
(b) someone is hosting an evil twin of your site there. Either way, our
hosting_risk checker fires HIGH severity.
Our curated list (9 ASNs)
We maintain a curated list, last updated 2026-04. Sources cited below the table.
| ASN | Name | Country | Notes |
|---|---|---|---|
| AS207812 | Chang Way Technologies | SC (Seychelles) | Malware C2 infrastructure since ~2019. Listed by Spamhaus DROP, AbuseIPDB. |
| AS202425 | IP Volume Inc | SC | Operates "Quasi Networks" rebrand. Long history of phish + DDoS-as-a-service hosting. |
| AS50867 | Hi-Tech Systems | BG | Spam ops + carding marketplaces. |
| AS197540 | netcup GmbH | DE | Mainstream German VPS. Listed for repeated spam from low-tier customers — gray zone, not strictly bulletproof but high false-positive risk. |
| AS206092 | Inferno Solutions Ltd | CY | Mass phishing infrastructure 2023-2025. |
| AS206264 | Pq Hosting Plus | MD | Bullet proof reseller fronted as VPS. Sign-up uses crypto. |
| AS200511 | Layer Host LLC | RO | Emelate.com / Stresshost — DDoS-for-hire client base. |
| AS202984 | 1337team Ltd | RU | Multiple takedown notices ignored 2024-2025. |
| AS210558 | 1337 Services GmbH | BG | Same operator as AS202984, second AS. |
Sources: spamhaus.org/drop, abuseipdb.com high-confidence list,
dataplane.org SSH/Telnet honeypot data, bgp.he.net abuse history,
krebsonsecurity.com investigative reports, internal data from our scans.
Sanctioned countries (separate concern)
Independently of bulletproof status, hosting in sanctioned jurisdictions carries legal risk under OFAC (US), EU sanctions, UK OFSI, etc. We flag MEDIUM severity for hosting in ISO codes:
- KP — North Korea
- IR — Iran
- SY — Syria
- CU — Cuba
- RU — Russia (post-2022)
- BY — Belarus (post-2022)
The list mirrors the OFAC SDN program for state-level sanctions. Companies with EU/US obligations cannot legally route customer traffic through these jurisdictions without triggering compliance review. Our checker reports the country, the user decides.
The maintenance challenge
Bulletproof providers rebrand, change ASN, get taken down. The list above is a snapshot — accurate as of 2026-04 but will shift quarterly. We refresh on the same cadence we refresh the cipher hardcoded list and the SaaS-takeover signatures: every 3-6 months, ad-hoc when a new major incident drops.
If you spot an ASN we missed (or one we list incorrectly), email us with the source. This list is curated public knowledge — we don't do attribution research ourselves; we aggregate.
What to do if you're flagged
- Verify your hosting.
whois <your-ip>and confirm the ASN. Sometimes it's a mistake (cheap VPS reseller using bulletproof upstream). - Migrate to a reputable provider. AWS, Azure, GCP, OVH, Hetzner, DigitalOcean — none are on the list. Cost is comparable for most workloads.
- If migration takes time, request delisting from major reputation feeds (Spamhaus has a public form). Document the migration plan; auditors care.
Check your hosting reputation
Free Basic scan reports the apex IP's ASN + country + reputation feed status.
Run a scan