The National Security Agency (NSA), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and multiple international partners, has released a comprehensive cybersecurity information sheet titled “Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers.”
Published on November 19, 2025, this guidance targets internet service providers (ISPs) and network defenders, offering strategic recommendations to dismantle the infrastructure that underpins global cybercrime.
The advisory, developed by the Joint Ransomware Task Force (JRTF), addresses the growing threat posed by “bulletproof hosting” (BPH) services that knowingly support ransomware groups, phishing campaigns, and other malicious activities.
Bulletproof hosting providers differ from legitimate infrastructure services by intentionally ignoring abuse complaints and legal processes such as court orders or subpoenas.
These entities market their services to cybercriminals with the assurance of impunity, often allowing illicit content to remain online despite evidence of criminal activity.
The joint guidance highlights that BPH providers frequently resell infrastructure leased or stolen from legitimate data centers and cloud providers, effectively hiding malicious traffic within valid networks.
To evade detection, these actors employ sophisticated techniques such as “fast flux,” in which they rapidly cycle through IP addresses and domain names, or migrate frequently between Autonomous System Numbers (ASNs) to bypass static blocklists.
Mitigation Strategies for Network Defenders
The authorizing agencies emphasize that mitigating BPH risks requires a nuanced approach to avoid disrupting legitimate internet traffic. Network defenders are urged to curate high-confidence lists of malicious internet resources by leveraging commercial and open-source threat intelligence feeds.
Rather than relying solely on broad blocking measures, defenders should implement granular filtering at the network border, targeting specific IP ranges or ASNs identified as hostile.
The guidance also highlights the importance of traffic analysis to establish baseline network behavior, which allows security teams to identify outlier activity that may indicate a connection to BPH infrastructure.
Centralized event logging systems should be configured to alert on traffic from known malicious sources, ensuring rapid identification of potential compromises.
ISPs play a critical role in the proposed defense strategy and are encouraged to adopt stricter “Know Your Customer” (KYC) protocols to prevent BPH providers from easily acquiring infrastructure.
The advisory suggests that ISPs require verifiable identification and banking details from prospective customers to validate their legitimacy. Furthermore, the guidance proposes establishing sector-wide codes of conduct, such as agreeing to block malicious IP ranges for up to 90 days to disrupt criminal operations.
ISPs are also advised to notify customers when traffic is blocked due to malicious associations and to offer opt-out filtering services that provide enhanced protection for organizations with lower risk tolerances.
By tightening these controls, the international coalition aims to force cybercriminals away from bulletproof havens and onto legitimate platforms where law enforcement can more effectively intervene.
| Recommended Action | Description | Target Audience |
|---|---|---|
| Curate Blocklists | Develop and maintain lists of “high confidence” malicious resources using threat intel feeds. | Network Defenders |
| Traffic Analysis | Establish network baselines to identify outlier activity resembling fast flux or BPH patterns. | Network Defenders |
| Implement Filters | Apply granular filters for ASNs or IPs at network borders, ensuring audit logs are maintained. | ISPs & Defenders |
| Know Your Customer | Verify customer identity (IDs, banking details) to prevent fraudulent infrastructure leasing. | ISPs |
| Code of Conduct | Establish industry norms, such as 90-day blocks for abusive IP ranges, to enforce accountability. | ISPs |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
