German police seized a darknet server farm in a shelter

[German]German police has swatted an old NATO shelter bought by cyber criminals to operate a server farm for darknet services. The servers are taken down and has been seized.

A NATO shelter as a home of a darknet server farm

It has been a bit of a James Bond movie. An 59 year old dutch person bought a NATO shelter from German government – after the cold war ended, some of these objects has been sold to companies for enterprise activities. The NATO shelter has been highly secured during its operational military use and has electricity, air condition and also Internet.

(Eagle eye view of the aerea of the NATO shelter used as a 'cyberbunker', Source: LKA-RP, German police)

Then a group of cyber criminals begun to mount racks for a server farm and begun to install internet servers to host darknet services (as a bulletproof hoster). The site was continued to be secured with barbed wire and camera surveillance, so no third party subject has been gaining entry to the shelter. The server farm has been operated for several years.

5 year long investigation

The cyber strike was preceded by almost five years of investigations by the Cybercrime Central Office (LZC) of the Public Prosecutor's Office in Koblenz and the State Criminal Investigation Office (Landeskriminalamt, LKA) of German state Rheinland-Pfalz. It was an extensive and extremely time-consuming and labour-intensive investigation procedure against the operators of a server farm running as a "Bulletproof-Hoster". The special service of such a Hoster consists of offering the customers protection from national access and to thwart so investigations. For the first time, German investigating authorities have succeeded in digging out such a hoster.

The investigations led to the fact that this server farm, located within the previous NATO shelter in German state Rheinland-Pfalz, near the Mosel town Trarben-Trarbaach, could be taken from the net. The servers of this data center, for example, were used to attack the Telekom routers three years ago. The world's second-largest Darknet marketplace, Wall Street Market, which was only took down in April 2019, was also operated on servers from this data center. To the best of the current knowledge, the following marketplaces/forums were customers of the defendants:

• "Cannabis Road": 87 sellers of illegal drugs of all kinds were registered on this site. In total, several thousand individual sales of cannabis products are said to have been processed via the platform.
• "Wall Street Market": According to investigations by the Frankfurt Attorney General's Office, the "Wall Street Market" is the second largest marketplace of its kind worldwide. In its structure, the platform resembled a legal e-commerce platform on the Internet, e.g. ebay. This platform is said to have handled 250,000 drug deals with a sales volume of over 41 million euros.
• The underground forum "Fraudsters": LZC itself is investigating the operators of this forum. It is suspected that several thousand drug deals have been conducted via this platform.
• Platform "Flugsvamp 2.0": This marketplace is supposed to be the largest Swedish Darknet marketplace for the illegal sale of narcotics. The proceedings against the operators are being conducted by the Swedish investigating authorities. It is said that 600 sellers and about 10,000 buyers were active on the marketplace.
• "Orangechemicals", "acechemstore" and "lifestylepharma" platforms: synthetic drugs in varying quantities and properties were distributed throughout Europe via this Internet trading platform. In this respect, the investigations are being conducted by the public prosecutor's office in Cologne. This is to involve sales transactions in the five-figure range.
• Attack on telecom routers: The large-scale attack on around one million telecom routers at the end of November 2016 was also controlled via a server in the so called cyber bunker (darknet cyber shelter).

There have been obviously plans, to extend the server farm, because the swat team found many assembled but empty racks, ready to install new server units.

Swatting the cyber-shelter

In a coordinated action, teams of German police and German special forces GSG-9 SWAT team, penetrate into the highly secured Ex NATO shelter (called Cyber Bunker in German).

(Darknet server room, Source LKA-RP)

When the shelter was stormed by the SWAT team, investigators came across numerous servers in one room (200 were seized, 2000 servers are assumed to be total), where numerous websites from the darknet were hosted.

(Takedown notice of web sites)

These websites were used by international criminals to distribute prohibited goods such as drugs and forged documents, stolen data, child pornography and large-scale cyber attacks. Web pages that were hosted on the servers in question will now probably display the above message when visited.

(News report from the operation, Source: YouTube/German police)

In a coordinated action on Thursday evening, the Police of German states Rheinland-Pfalz and Hessen, and the Federal Police also carried out search warrants in Germany and neighbouring European countries. A total of several hundred task forces were involved. Some 200 servers, written documents, numerous data carriers, mobile phones and a large amount of cash were seized.

At the request of the LZC, the District Court of Koblenz, seven suspects were arrested. Six of these are men and the woman – four Dutch, one Bulgarian and two German. Furthermore, the investigating judge issued 18 search warrants.

It seems that I was grown up close by a 'dark net' hot spot – but at that time, the NATO shelter has been in military operation – and I've never been there on this site – even not during my army service in the 70ties, were I spent on an airbase a few miles away.