CyberBunker is an Internet service provider that, according to its website, hosts "services to any Web site 'except child pornography and anything related to terrorism'". It served as a host for both The Pirate Bay and as one of the many Wikileaks mirrors. CyberBunker has also been accused of being a host for spammers, botnet command-and-control servers, malware and online scams. The company has also been involved in Border Gateway Protocol hijacks of IP addresses used by Spamhaus and the United States Department of Defense. The Spamhaus hijack was part of an exceptionally large distributed denial of service attack launched against them in March of 2013. Because of the size of this attack it received considerable mainstream media attention.
The company is named for the place it was once housed in, a former Cold War bunker. The bunker was built in 1955 just outside the small town of Kloetinge in the south of the Netherlands. It was intended as a war time Provincial Military Command Center (Dutch: Provinciaal Militair Commando) of the Dutch military that could withstand a nuclear attack. It was discarded by the Dutch military in 1994. As of 2013 the physical location of CyberBunker is unknown.
CyberBunker has a long history of run-ins with the law. In 2002 a fire broke out in the bunker they operated from. After the fire was put out it was discovered that besides internet hosting services an MDMA laboratory was in operation. Three of the four men charged with the operation of the lab were convicted to three year prison sentences; the fourth was acquitted due to a lack of evidence.
The Pirate Bay
In October 2009 BitTorrent tracker The Pirate Bay, which had been subjected to legal action by various anti-piracy groups including Dutch copyright organisation BREIN, moved away from Sweden to CyberBunker. In 2010 the Hamburg district court ruled that CyberBunker, operating in Germany as CB3Rob Ltd & Co KG, was no longer allowed to host The Pirate Bay, being subject to a 250.000 euro fine or up to 2 years imprisonment for each infringement.
In October, 2011, Spamhaus identified CyberBunker as providing hosting for spammers and contacted their upstream provider, A2B, asking that service be cancelled. A2B initially refused, blocking only a single IP address linked to spamming. Spamhaus responded by blacklisting all of A2B address space. A2B capitulated, dropping CyberBunker, but then filed complaints with the Dutch police against Spamhaus for extortion.
In March, 2013, Spamhaus added CyberBunker to its blacklist. Shortly afterwards a distributed denial of service (DDoS) attack of previously unreported scale (peaking at 300 gigabits per second; an average large-scale attack is often around 50 Gbit/s, while the largest known previously publicly reported attack was 100 Gbit/s) was launched against Spamhaus email and web servers using a Domain Name System (DNS) amplification attack; as of 27 March 2013[update] the attack had lasted for over a week. Steve Linford, chief executive for Spamhaus, said that they had withstood the attack. Other companies, such as Google, had made their resources available to help absorb the traffic. The attack was being investigated by five different national cyber-police-forces around the world. Spamhaus alleged that Cyberbunker, in cooperation with "criminal gangs" from Eastern Europe and Russia, was behind the attack; Cyberbunker did not respond to the BBC's request for comment on the allegation.
CloudFlare, an Internet security firm located in Frankfurt/Main in Germany and assisting Spamhaus in combating the DOS attack was also targeted. On the 28th of March, CyberBunker's website went offline for a short period of time, possibly becoming victim of a DDoS attack themselves.
On the 29th of March, the unrelated secure data storage company BunkerInfra issued a press release stating they have been the owners of the former military bunker since 2010 and that any claims made by CyberBunker regarding their continued usage of the complex are false and that they have not been operating from the bunker since the fire in 2002. Businessweek reported them as stating that the bunker was "full of junk" when they acquired it, and quoted Guido Blaauw, their general manager, as stating that the CyberBunker publicity material was "all Photoshop".
On April 25, 2013 Sven Olaf Kamphuis, a vocal spokesman for CyberBunker, was arrested at the request of Dutch authorities near Barcelona by Spanish Police after collaboration through Eurojust. An anonymous press release uploaded on Pastebin the following day demanding the release of Sven threatened with more large scale attacks should he remain in custody. The Spanish authorities reported that Sven operated from a well-equipped bunker and used a van as a mobile computing office. No further information on this bunker was provided. In September of 2013 it was revealed that a second arrest had been made in April in relation to the Spamhaus attack, the suspect being a 16 year old teenager from London.
- Press release: MPAA.org - CyberBunker prohibited from providing internet access to The Pirate Bay, article retrieved 30 March 2013.
- Russia Today - ‘Spamhaus mafia tactics – main threat to Internet freedom’: CyberBunker explains 'largest' cyber-attack, article retrieved 30 March 2013.
- Spamhaus.org - listings for IPs under the responsibility of cb3rob.net, records retrieved 28 April, 2013.
- BGPMon.net Looking at the spamhaus DDOS from a BGP perspective, article retrieved 29 April, 2013.
- CyberBunker datacentrum in Goes · DatacentrumGids.nl
- PMC-bunkerbezetting in Kloetinge: het verslag (Dutch), article retrieved March 28, 2013.
- Forten.info - Provinciaal Militair Commando (Dutch), article retrieved March 28, 2013.
- Eric Pfanner; Kevin J. O'Brien (March 29, 2013). "Provocateur Comes Into View After Cyberattack". The New York Times. Retrieved March 30, 2013.
- Security.nl - Uitgebrande 'Cyberbunker' herbergde XTC-lab (Dutch), article retrieved 29 March 2013.
- OmroepZeeland.nl - Cel wegens runnen XTC-laboratorium (Dutch), article retrieved 29 March 2013.
- The Pirate Bay Back Online With New Web Host In The Netherlands, 7 October 2009
- Dutch ISP Hits Spamhaus With Police Complaints | TechWeekEurope UK
- TPB Causes Argument Between Dutch ISP and Anti-Spam Organization - Softpedia
- Rob Williams for Hot Hardware (2013), DDoS Attack Against Spamhaus Exposes Huge Security Threat On DNS Servers, article retrieved 28 September, 2013.
- How Spamhaus’ attackers turned DNS into a weapon of mass destruction, 28 March 2013
- BBC: Global internet slows after 'biggest attack in history', 27 March 2013
- Informationweek Security - DDoS Spam Feud Backfires: 'Bulletproof' CyberBunker Busted, article retrieved 30 March 2013.
- BunkerInfra.com - Cyberbunker not located in a bunker in Goes, the Netherlands, article retrieved March 29, 2013.
- Michael Riley, Carol Matlack, and Robert Levine (April 4, 2013). "CyberBunker: Hacking as Performance Art". Businessweek. Retrieved 2013-04-27.
- Nicole Perlroth (April 26, 2013). "Dutch Man Said to Be Held in Powerful Internet Attack". The New York Times. Retrieved April 26, 2013.
- Pastebin.com - Official press release #freecb3rob, retrieved 26 April, 2013.
- Brenno de Winter - Nu.nl - Groep dreigt met 'grootste aanval ooit' om arrestatie hacker (Dutch), article retrieved April 26, 2013.
- Washington Post / Associated Press - Dutch suspect arrested in Spain over major cyberattack used well-equipped ‘bunker’ and van - article retrieved 28 April, 2013.
- James Legge for The Independent (2013), London teenager arrested over huge cyberattack, article retrieved 28 September, 2013.