Today we bring you a live update from the frontlines of the darknet where a bulletproof NATO bunker full of cyberfiends has been raided by the German police. The cyberfiends were operating out of a notorious bulletproof 'cyberbunker' data-center in Traben-Trarbach, Germany and hosting a number of darknet services including the 'Wall Street Market' & 'Cannabis Road', heirs to the Dread Pirate Roberts.

Three years after a series of large-scale attacks on German telecoms infrastructure, (which was at least partly operated by servers linked to the 'CyberBunker') 650 police officers including GSG9, the elite tactical unit of the German Federal Police, and a helicopter raided the 13.000 square meter property in a small German town seizing 200 servers, documents, disks, phones and an undisclosed amount of cash.

After overcoming several physical and technical hurdles, "breaking the military-grade security" according to the police in a press conference, the officers entered the data center bringing a dramatic climax to a five year long investigation.

A criminal case is now being prosecuted against thirteen defendants for being part of a criminal organization, for a large number of drug-related offenses, for distribution of child pornography and associated charges. According to the prosecution the property was unoccupied during the raid, six of the suspects were arrested in a local restaurant by undercover officers, while a seventh suspect was caught in Schwalbach, Germany, 130 kilometers away from Traben-Trarbach. AA number of other properties in Germany, Netherlands, Luxembourg and Poland have been raided.

Arrest warrants for danger of escape and blackout had been issued for all thirteen persons by a local court in Koblenz, Germany. Besides the seven arrests (including 6 men and 1 woman) another four Dutch, a Bulgarian and two Germans are under investigation in this case. From what we can tell the following services have been shutdown:

  • Cannabis Road - 87 sellers with multiple thousand purchases of cannabis products.
  • Wall Street Market - second largest marketplace of its kind, over 250 thousand cases of narcotics dealing with 41 million euros being involved.
  • Fraudsters 1.0 - Multiple thousands of cases of narcotics dealing.
  • Flugsvamp 2.0 - biggest Swedish marketplace, about 600 sellers serving 10.000 customers.
  • orangechemicals, acechemstore and lifestylepharma - distribution of synthetic drugs throughout Europe.
An overview of the property from above.

CyberBunker

CyberBunker is a nation-state and former trade name for Dutch 'bulletproof hosting' related to CyberBunker B.V., ZYZtm Research B.V. and Calibour GmbH with their most popular location being a bunker in the south of the Netherlands. They gained increased attention by media for being a former hoster of The Pirate Bay and blacklisted by Spamhaus resulting in one of the biggest DDoS attacks seen to date. Their proclaimed service as being the 'most reliable datacenter in the world' provides hosting for everything 'except child pornography and anything related to terrorism', which is also exactly the words of a spokesman in a press conference about the providers raid.

At the time of writing this, all sites except the homepage return a blank page with a 403 status code at multiple locations tested from; possibly a direct impact of the seizures. The online presence of Sven Olaf 'cb3rob' Kamphuis, (former) spokesman at CyberBunker, has been seized during the event. CB3ROB worked as a network operator for the entire republic Cyberbunker.

UPDATE 28.09.2019: Property history, owner and investor

The facility - formerly being used by the German Armed Forces ('Bundeswehr') - has been acquired by a Dutch investor in 2013. According to plans which he presented to the city council, the road granting access to the property ('Über den Weinbergen') should be surrounded by a two meters high and six meters wide earth barrier. That would prevent outsiders from seeing what's happening behind the hill and security fence. At that point (Q3 2013), the investor has not disclosed details on future services that will be provided for customers.

Calibour GmbH, RIPE member and owner of 185.103.72.0/22 via AS29090, is located at  'Über den Weinbergen 1'. CEO Herman Xennt (*10.11.1959) is known for operating CyberBunker. As reported by police, the prime suspect is a 59-year-old man. In conclusion, it is likely that Xennt will be the focus of the investigation.

Most IPs within and domains pointing to the above range are presenting a seizure warning.

UPDATE 29.09.2019: Statements by CB3ROB

It appears that CB3ROB recently configured his domain cb3rob.org to redirect to his Facebook profile, on which he is currently clearing up common confusions in relation to CB3ROB, CyberBunker and ZYZtm. Furthermore, Kamphuis is providing interesting insights into CyberBunkers philosophy and the German polices work in several statements.

Either way, to my knowledge, servers have always been provided by ALL  front operation companies protected by the Republic of CyberBunker, on a  'we deliver the box, we give it internet access, you get the root  password of the base install, and whatever goes on on it AFTER you get  the password is purely YOUR problem as a customer"
We don't go around 'helping customers' to 'operate dark markets' or 'sell their drugs' or 'run kiddie porn sites' [...]

Contrary to the public image in the media as being a criminal hotspot for illegal websites, this statement paints an idealistic picture of the company. In addition, Kamphuis claims that they 'have seen various other bullshit threats over the years... but -never- an actual court verdict', which they would have complied with just as they did with The Pirate Bay.

Public statement by CB3ROB blaming the German authorities for an unnecessary escalation.

The accusations raise the question whether an extensive investigation over several years with a massive raid of this dimension was the right way to take the illegal websites off the net.

UPDATE 06.10.2019: 185.35.136.0/22 'seized back'

Subnet 185.35.136.0/22 by ZYZtm Research Division 10 B.V., previously showing the same seizure warning as 185.103.72.0/22, has been 'seized back' by the government of CyberBunker.

Screenshot of http://zyztm.com/

UPDATE 06.10.2019 (2): DDoS on ZYZtm subnet and reaction

Apparently, as stated by CB3ROB, an unknown party is 'ddossing the recently seized back zyztm prefixes' with a volumn of 40 GBit/s sent in bursts.
Khampuis refers to Germany and calls this a further act of war. He also states that a real war can come out of this. In a deleted comment to one of his posts, chemical warfare has been mentioned. It might be worth noting that CB3ROB 'provides electronic control systems for weapon systems and building automation'.

I shall update this story as it develops, I live in Germany and we are all talking about this raid, the AP also published this which I used as a source. In the currently early stage of the case from a public perspective, most information is taken from the initial press conference and CB3ROB's Facebook.

About the author

This article has been written by Paul Dannewitz of Germany - He also covers research, vulnerability and bug bounty writeups on his personal website. Feel free to give him a follow on Twitter.

The awesome image used in this article is called 'Princess Bride' and was created by Gustavo Viselner.

Edit note 02.10.2019: CyberBunker did not operate as CB3ROB Ltd. & Co. KG in Germany. He was a network operator for the entire republic CyberBunker.