The National Security Agency (NSA), CISA, FBI, and international cybersecurity partners have released groundbreaking guidance to help internet service providers and network defenders combat bulletproof hosting providers.
This new framework, published November 19, 2025, represents a coordinated effort to mitigate cybercriminal infrastructure that actively supports ransomware, data extortion, and other malicious activities targeting critical infrastructure and financial institutions.
Understanding the Threat
Bulletproof hosting (BPH) providers operate as internet infrastructure services that intentionally market their services to cybercriminals.
Unlike legitimate hosting companies, these providers deliberately ignore court orders, subpoenas, and legal takedown requests, making them attractive to bad actors.
They often resell stolen or leased infrastructure from legitimate companies, sometimes without the original provider’s knowledge.
Cybercriminals exploit this infrastructure for command-and-control operations, malware distribution, phishing campaigns, and fast-flux techniques to evade detection and law enforcement.
The agencies have observed a dramatic increase in cybercriminals using BPH infrastructure on attack critical infrastructure, financial systems, and high-value targets.
The security community recognizes this as a significant and growing threat to national cybersecurity resilience.
The guidance emphasizes a nuanced approach because BPH infrastructure is woven into the legitimate internet ecosystem.
Blocking entire network ranges could inadvertently disrupt legitimate services. Instead, the NSA recommends that both ISPs and network defenders create lists of “high confidence” malicious resources using commercial and open-source threat intelligence feeds.
Network defenders should conduct continuous traffic analysis to identify anomalous activity and maintain a baseline of normal network behavior.
This prevents false positives and ensures that legitimate services, such as content delivery networks, remain functional while malicious activity is filtered.
ISPs play a vital role. They can raise customer awareness about malicious resource lists, offer optional filters for clients with different security needs, and implement “know your customer” procedures that create barriers for BPH providers seeking infrastructure.
Additionally, ISPs should establish sector-wide standards and create accountability frameworks with other providers.
The guidance includes practical recommendations like implementing centralized event logging systems that track both IP addresses and autonomous system numbers, establishing audit trails for all filter policies, and creating streamlined processes for handling inquiries about blocked resources.
By implementing these recommendations, defenders force cybercriminals toward legitimate infrastructure providers who respond to abuse complaints and law enforcement actions.
This fundamentally reduces the utility of bulletproof hosting and increases operational costs for attackers.
The collaborative effort includes partners from the United States, Australia, Canada, the Netherlands, New Zealand, and the United Kingdom, demonstrating international commitment to disrupting malicious cyber operations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.