Enlarge / Snek goes dark.Getty Images

The successor to 8chan, 8kun, made a somewhat brief appearance on the public Internet thanks to what amounts to an attack on the Internet's routing infrastructure. The site's domain name server, hosted by a service called VanwaNet, offered up an Internet address for the site that was from an unallocated set of addresses belonging to the RIPE Network Coordinating Centre, the regional Internet registry authority for Europe and the Middle East. And the host for the new site, the Russian hosting company Media Land LLC, advertised a route to that address to the rest of the Internet, allowing visitors to reach the site for a while.

The advertisement of the address, made with the Border Gateway Protocol (BGP), is what is referred to in the routing world as a "bogon" or "martian." Usually these happen when private network addresses mistakenly are sent out, or "advertised," from a network to the rest of the Internet because of a router misconfiguration.

But sometimes, they hijack existing addresses either accidentally or maliciously. A BGP "leak" in November 2018 caused Google and Spotify service outages. In 2015, for example, Hacking Team used a BGP bogon advertisement to help Italian police regain control of infrastructure used to monitor hacked targets. And a Russian network provider made BGP advertisements that hijacked traffic to financial services sites in 2017.

While 8kun.net was registered in September through Tucows, the actual process was handled by a company called N.T. Technology Inc., a hosting company and registration services provider that appears to have gone dark in August, around the same time 8Chan went offline. The domain for N.T. Technology was registered by Jim Watkins—the "owner" of 8chan. And several hosts associated with 8chan, on the 8ch.net domain, were hosted by N.T. Technology.

None of N.T. Technology's servers appears to be reachable. The Twitter account associated with the company (which gives the location as Carson City, Nevada) has been inactive since 2014. The address given for the company on its now-dead website was a Digital Real Estate data center in San Francisco, and its corporate office address was that of a corporation registration and virtual home office company in Reno, Nevada. The phone number associated with the Reno address in domain registration data was disconnected; a second number (a Comcast VoIP number) went unanswered. But the company's network is still active, based on data from Hurricane Electric's BGP tools.

Trying to go “Bulletproof”

After 8chan lost its hosting in August in the wake of the El Paso mass shooting, much of 8chan's content—especially the "pol" channel—had shifted to the social media platform Telegram (known for its anti-censorship policies, which have made it a haven for all flavors of extremism). Telegrampol, for instance, was set up in July. But the fragmented nature of the Telegram channels (and the Telegram architecture) likely kept away many 8chan users; Telegrampol has a total of 633 subscribers.

8kun was an effort to restore a central location for all of 8chan's communities, but it faced the same challenges in hosting that brought down 8chan in the first place—its radioactivity to hosting providers and domain registrars. This is what apparently drove Watkins and company to a rather unusual hosting option: a Russian company known mostly for hosting crimeware.

Media Land is operated by Alexander Volosovyk, known as "Yahlishanda" on criminal underground Internet marketplaces. According to a report by Brian Krebs, Volosovyk is the world's biggest "bulletproof" hosting operator. He has, according to Krebs, avoided takedowns and prosecution by operating carefully within the lines of the law in Russia and other former Soviet states.

Servers hosted by Media Land infrastructure have been tied to the Dridex and Zeus banking trojans in the past, as well as to the command and control networks for other sophisticated malware. Media Land-hosted virtual private servers using legitimately-assigned IP addresses have been repeatedly reported for malicious traffic, including hundreds of brute-force Remote Desktop Protocol login attacks.

Media Land used the fake BGP advertisements for more than just 8kun. According to historical DNS records from SecurityTrails, Media Land had been maintaining aRead More – Source