Bulletproof hosting providers, the small subset of hosts that ignore abuse complaints and law-enforcement requests as a business model, remain a foundation of the cybercrime stack in 2026. They host phishing pages, command-and-control servers, malware distribution points, and the leak sites that ransomware operators publish from. Understanding where they live and how they survive is useful both for defenders writing block lists and for the policy debate about how to constrain them.
The geography
Three rough clusters in 2026. Russia and former Soviet states remain the dominant region for the long-running BPH operators, helped by the structural unwillingness of local authorities to act on Western law-enforcement requests. Southeast Asia hosts a growing share of fraud-adjacent infrastructure, particularly the romance-scam compound network. Smaller jurisdictions, certain Central American, Caribbean, and African hosts, fill specific niches, often laundering reputational risk by sub-leasing capacity from larger upstreams.
Notably absent: the European Union, where intermediary-liability frameworks and Schengen law enforcement make BPH economically untenable. The takedowns happen too fast.
The economics that keep it alive
BPH commands a price premium. Where a normal VPS costs €5/month, a no-questions-asked equivalent costs €40-€80/month for the same specs. Customers absorb the markup because the alternative is having their infrastructure pulled offline within 48 hours of the first abuse complaint.
The BPH operator’s costs are real: legal fees in jurisdictions where they’re vulnerable, occasional infrastructure migrations, the constant need to acquire new IP space as old ranges get reputationally burned. The margin is healthy but not extraordinary. The defining trait isn’t profitability, it’s the willingness to absorb the legal and reputational risk that mainstream hosts won’t.
The takedown calculus
Direct takedowns of BPH have gotten harder, not easier. The 2018 era of single-court-order seizures of an operator’s hardware is largely over, the operators learned to distribute infrastructure across multiple jurisdictions. Modern takedowns are coordinated multi-country operations that take months to set up and require active local cooperation.
The more effective lever is upstream pressure: the BPH operator’s own connectivity provider is usually a mainstream Tier-1 or Tier-2 carrier. Pressure on the upstream, through reputational, regulatory, or peering-relationship means, does more to constrain BPH than going after the BPH operator directly. The Spamhaus drop list and similar reputation feeds remain disproportionately effective for this reason.
What it means for defenders
Block lists work. The BPH AS-numbers and IP ranges are well-documented. Most enterprise environments can safely block the entire IP space of two or three known BPH providers without affecting any legitimate traffic, and that block alone removes a meaningful slice of phishing-page reachability and C2 callback capability.
Reputation feeds (Spamhaus DROP, Team Cymru Bogons, the various commercial feeds) are the practical implementation. Update them weekly, audit them monthly. The cost is minimal. The benefit, while not visible in normal logs, shows up as fewer alerts on the bad days.
The policy gap
The structural reason BPH still exists in 2026 is sovereignty. The hosts operate from jurisdictions that don’t recognise Western abuse frameworks, and the upstream carriers in those jurisdictions face no domestic pressure to disconnect them. Until that changes, through trade pressure, sanctions on specific carriers, or genuine local enforcement evolution, the model persists.
For now, defenders rely on the same playbook that has worked for fifteen years: identify the bad ranges, block them, update the list. It’s not a permanent solution. It’s the one that works.