Dutch police seize 127 servers belonging to Zservers hosting provider

📟 News

Date: 17/02/2025

Following the introduction of international sanctions against Zservers, Russian ‘bulletproof’ hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.

Last week, the United States, Australia, and the United Kingdom imposed sanctions against Zservers and a related British company, XHOST Internet Solutions LP. According to the U.S. Department of the Treasury, Zservers provided infrastructure for ransomware attacks organized by the LockBit cybercriminal group and assisted hackers in illicit money laundering.

According to the Dutch National Police, the hosting services provider was also involved with unnamed botnets and malware distribution. Politie claims that Zservers knowingly facilitated this malicious activity, and its ads implied that Zservers infrastructure could be used for criminal activity.

The servers were seized from a data center located at Paul van Vlissingenstraat street in Amsterdam. Politie emphasizes that cybercriminals could purchase company’s services anonymously by paying for them with cryptocurrency. Currently, all sites hosted on the seized servers are unavailable.

Seized equipment
Seized equipment

According to the law enforcement authorities, one of the seized servers contains hacking tools belonging to two well-known ransomware groups: LockBit and Conti.

All the 127 servers will examined by cyber forensics experts in Amsterdam. New evidence is expected to be retrieved, as well as information pertaining to other hackers’ operations.

Related posts:
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →