Pierluigi Paganini August 12, 2023

A joint operation conducted by European and U.S. law enforcement agencies dismantled the bulletproof hosting service provider Lolek Hosted.

Lolek Hosted is a bulletproof hosting service provider used to facilitate the distribution of information-stealing malware, and also to launch DDoS (distributed denial of service) attacks, manage fictitious online shops, manage botnet servers and distribute spam messages worldwide.

A joint operation conducted by European and U.S. law enforcement agencies dismantled Lolek Hosted and lead to the arrest of five administrators by Polish authorities.

The suspects advertised the service using slogans such as “You can host anything here!” and “no-log policy,” they were accepting payments in cryptocurrencies.

“This week, the Polish Central Cybercrime Bureau (Centralne Biuro Zwalczania Cyberprzestępczości) under the supervision of the Regional Prosecutor’s Office in Katowice (Prokuratura Regionalna w Katowicach) took action against LolekHosted.net, a bulletproof hosting service used by criminals to launch cyber-attacks across the world.” reads the announcement published by the Europol. “Five of its administrators were arrested, and all of its servers seized, rendering LolekHosted.net no longer available. This latest success in the fight against cybercrime follows a complex investigation supported by Europol and the US Federal Bureau of Investigation (FBI).”

The Lolek Hosted service was used to target hundreds of thousands of private entities and public institutions, according to the Polish police the losses they incurred amount to millions of dollars.

“The Katowice-Wschód District Court in Katowice, at the request of the Regional Prosecutor’s Office in Katowice, imposed a preventive measure in the form of pre-trial detention for three months in relation to two detainees. Preventive measures in the form of police supervision, financial surety and a ban on leaving the country were applied to the remaining 3 detainees.” reads the press release published by the Polish Police.

According to the press release published by DoJ, the founder of the service, Artur Karol Grabowski (36) provided “bulletproof” webhosting allegedly facilitating the criminal activities of LolekHosted clients by allowing clients to register accounts using false information, not maintaining Internet Protocol (IP) address logs of client servers, frequently changing the IP addresses of client servers, ignoring abuse complaints made by third parties against clients, and notifying clients of legal inquiries received from law enforcement.

The domain “LolekHosted.net” was registered in 2014, he allowed clients to host “everything except child porn.”

According to the DoJ, the service was used also by NetWalker ransomware operators. The NetWalker ransomware was deployed is attacks aimed at approximately 400 organizations and enterprises, including municipalities, hospitals, law enforcement and emergency services, school districts, colleges, and universities, which resulted in the payment of more than 5,000 bitcoin in ransoms (currently valued at approximately $146 million).

It has been estimated that LolekHosted clients used the services to execute approximately 50 NetWalker ransomware attacks.

“If convicted on all counts, Grabowski faces a maximum penalty of 45 years in prison. The indictment also notifies Grabowski that the United States is seeking an order of forfeiture in the amount of $21.5 million, the proceeds of the charged criminal conduct. Grabowski remains a fugitive.” concludes the DoJ.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Europol)