Hosting infrastructure designed to resist takedowns, censorship, and legal pressure by operating in permissive jurisdictions, ignoring DMCA and abuse complaints, or using technical countermeasures like anycast, BGP redundancy, or DDoS mitigation.
Bulletproof hosts typically operate offshore—Russia, Romania, Netherlands, Hong Kong—where local law either doesn't criminalize hosting "problematic" content or enforcement is lax. They ignore DMCA takedown notices, don't reply to abuse complaints, and rarely comply with court orders from Western jurisdictions. Some add technical resilience: redundant nameservers, anycast routing, aggressive DDoS scrubbing.
Common tenants: phishing networks, botnets, ransomware infrastructure, stolen data marketplaces, copyright-infringing torrent trackers. But also: whistleblower platforms, dissident media, privacy tools, and controversial-but-legal speech communities that face coordinated takedowns.
The model is profitable because demand is real. Legitimacy is fake. Most "bulletproof" hosts get taken offline eventually—either by international law enforcement, upstream ISP pressure, or domain registry action. The infrastructure persists via IP migration and new registrations.
Bulletproof *domains* (anonymous registration + no-DMCA registrar) are distinct but complementary. You can point a bulletproof domain to ordinary hosting, or vice versa.