The Fake Review Network Behind NordBastion | Seth Brand Tech Care Blog
Back to Blog
Security July 8, 2026 10 min read Seth Brand

The Fake Review Network Behind NordBastion

Two review sites, same-day registration, identical criticisms. The credibility stack behind a crypto scam.

SkipKYC's review of NordBastion giving it an 8.6/10 LEGIT rating, despite the domain being 55 days old

Source: SkipKYC.com

This is part 2 of a 4-part investigation series:

TL;DR

  • Two review sites gave NordBastion 8.6/10. Both were registered the same day, one hour apart.
  • SkipKYC's own methodology requires 2 years of operation for a LEGIT rating. NordBastion is 55 days old.
  • LowEndTalk users have already confirmed the scam: XMR deposits confirmed on-chain, never credited, support locked.
  • Two of the seven hosting sites have already been suspended. The rest are still active.

When I finished the NordBastion investigation, I had one question left: who vouched for them? A site that did not exist before May 2026 should not have reviews, third-party ratings, or anyone willing to put their name behind it.

And technically, it does not. What it has is two review sites that appeared the same afternoon to tell you it is trustworthy. Both of those sites appear to be part of the same operation.

The network at a glance

Evaluating a no-KYC host right now? Send me the URL. I will run the same 12-point check from this investigation and tell you whether it is safe to deposit. Flat $99 Tech Care Audit, no call needed. Start here →

The fake hosting sites

Seven domains registered between April 15 and May 27, 2026. All on Cloudflare. Three via NameSilo with identical nameserver pairs. Two via Njalla hidden behind Saint Kitts entities. One claiming to have been operating since 2024, a claim as fabricated as NordBastion's "Garrison since 2024."

SiteRegisteredStatus
servprivacy.com2026-04-15Rebranded to servprivate.com
cryptoservers.io2026-04-22SUSPENDED by Njalla
nokycvps.com2026-05-11Suspended by registrar (client hold)
nordbastion.com2026-05-13Active
vpscrypto.io2026-05-20Active
servprivate.com2026-05-27Active (rebrand of servprivacy.com)
bitvps.ioClaims "Established 2024"Active

Two sites have already been suspended. The remaining four are still active and still accepting crypto deposits.

The fake review sites

The pattern gets obvious once you line up the registration times. Three sites, all registered the same day and roughly one hour apart:

SiteRegisteredRegistrar
nokyczone.com2026-05-28 12:26 UTCNameCheap
skipkyc.com2026-05-28 13:33 UTCNameCheap
swapnokyc.io2026-05-28 14:28 UTCNameCheap

Three sites. Same day. Same registrar. Same DNS provider. Registered at 12:26, 13:33, and 14:28 UTC. That does not read like three independent services that happened to launch on the same afternoon. It reads like one operator building a credibility stack: a swap service, two review sites, and the hosting sites they all vouch for.

SwapNoKYC.io is the swap layer. Both review sites promote it as their number one recommendation. SkipKYC's footer calls it "Top-graded for L0 trustless settlement." NoKYCZone's footer calls it "Editor's pick." NoKYCZone's homepage gives it a 9.6/10, the highest-rated service on the site.

If a victim uses SwapNoKYC to convert BTC to XMR before depositing into one of the scam hosting sites, the swap fee is captured by the same operator, and the routing layer obscures the money trail.

The shared template

Every hosting site in this network is built from the same template. I have read enough of all five to identify the common DNA.

Identical language set. All five sites publish in the exact same 14 languages: English, Russian, Chinese, Spanish, French, German, Portuguese, Arabic, Japanese, Korean, Hindi, Indonesian, Italian, Turkish. Not 13, not 15. The same 14, in the same order, every time. No legitimate hosting company launches with 14 simultaneous translations on day one. An LLM does.

Identical payment model. Crypto-only prepaid balance. Top up in 10 to 14 cryptocurrencies, servers draw down from the balance. No card, no wire, no KYC. No refunds. "Crypto payments are irreversible by nature." This is the trap: once you deposit, the money is gone.

Identical legal posture. "No KYC, no DMCA, no abuse complaints. The only hard limit is CSAM." Word for word across all five sites. The CSAM exception is there to make the "no rules" posture feel principled rather than reckless. It is a manipulation technique: one stated moral limit makes the absence of all other limits feel like a deliberate ethical choice.

Identical bonus structure. NoKYCVPS offers "+30% to +70% free credit" on deposits of $100 to $1,000. The bonus incentivizes large upfront deposits, the exact mechanism that maximizes the scammer's take before they disappear.

The fake review architecture

How it works

The operator built two review sites, SkipKYC and NoKYCZone, and populated them with a mix of real and fake reviews. The real reviews cover legitimate services: Bisq, Mullvad, IVPN, Kraken, Njalla, Posteo, Tutanota. The fake reviews cover the scam hosting sites: NordBastion, NoKYCVPS, ServPrivate, BitVPS. The real reviews exist to make the fake reviews look credible by association.

This is the key insight: a fake review site that only reviews fake products is obvious. A fake review site that reviews 30 real products and 5 fake ones is invisible. The real services are the camouflage.

A fake review site that only reviews fake products is obvious. A fake review site that reviews 30 real products and 5 fake ones is invisible.

SkipKYC (skipkyc.com)

Registered May 28, 2026 at 13:33 UTC. 500+ URLs, 51 English review pages, 8 language versions. Claims to be "an independent editorial desk reviewing services that don't require a government ID to use."

What SkipKYC says about NordBastion:

  • Score: A- (8.6/10)
  • Trust level: LEGIT. Their own rubric defines LEGIT as "verified, audited, clean track record, operating for at least two years under the same identity."
  • "Operating since 2023." The domain was registered May 13, 2026.
  • "Three-year Nordic operator running a published doctrine." Impossible for a 55-day-old domain.

The LEGIT rating is the tell. SkipKYC's own methodology page defines LEGIT as requiring "at least two years" of operation. NordBastion's domain is 55 days old. SkipKYC either did not check the domain age, in which case their "primary-source check" protocol is a lie, or they checked it and lied about it, in which case the review is a fabrication. There is no third option.

NoKYCZone (nokyczone.com)

Registered May 28, 2026 at 12:26 UTC. 251 URLs, 32 service review pages, 108 comparison pages, 10 language versions. Claims to be a "hand-curated directory of 27 services, verified every 6 hours."

What NoKYCZone says about NordBastion:

  • Score: 8.6/10 (identical to SkipKYC's score)
  • "Founded 2023." The domain was registered May 13, 2026.
  • "Published May 15, 2026." Two days after the domain was registered. A full rubric-based review, with jurisdictional analysis, product breakdown, and pros/cons, published 48 hours after the domain existed.

The May 15 publication date is impossible. NordBastion.com was registered on May 13. NoKYCZone claims to have published a full review on May 15. But the review site itself was not registered until May 28. NoKYCZone is claiming it published a review on May 15 on a domain that did not exist until May 28.

The "honest criticism" pattern

SkipKYC's review includes three cons: prepaid balance is custodial, no support email, closed source. These are the exact same three cons that NoKYCZone lists. Not similar. Identical. Two "independent" review sites arrived at the same three criticisms, worded the same way, for the same service.

That does not read like independent analysis to me. It reads like the same author writing both pages.

The criticisms are chosen to be the ones a sophisticated buyer would already accept. Of course a KYC-free host is closed source. Of course crypto is custodial. They are not the actual problems. The actual problem is that there is no host.

Two independent review sites arrived at the same three criticisms, worded the same way, for the same service. That is not independent analysis.

The LowEndTalk confirmation

I am not the first person to notice this. The LowEndTalk community, a hosting industry forum where providers and customers have discussed VPS deals for over a decade, has already identified this network.

LowEndTalk thread showing a victim's report of two XMR top-ups that confirmed on-chain but were never credited by NoKYCVPS
LowEndTalk thread documenting the NoKYCVPS scam. The victim reports two confirmed XMR deposits that were never credited, with support locked.

Source: LowEndTalk.com

In a thread titled "NoKycVPS: Two XMR top-ups confirmed 10/10 but not credited, invoices expired, support locked," a user reported depositing two Monero payments into NoKYCVPS. Both reached 10/10 confirmations on-chain. Both invoices expired anyway. Neither payment was credited to their account. Support was locked after the first failed top-up. Telegram messages were ignored.

The community response was immediate:

  • "Congratulations, you have been scammed. Same template btw as the previous scam sites."
  • "yeah.. NoKYCVPS is a scam operation. avoid."
  • "Only the difference is that those are trusted providers, not a vibe coded site with a domain registered less than a month ago. Next time at least check the domain age."

The forum users spotted the template, the shared patterns, and the specific sites, including the fake review sites, before I did. They called it "vibe coded," which is a good shorthand for AI-generated sites that look real but have nothing behind them.

Scam-Detector.com independently assessed nokycvps.com and gave it a trust score of 16.6/100, tagged "Controversial. High-Risk. Unsafe."

LowEndTalk thread titled Servprivacy.com a scam story, showing a victim reporting crypto received but order left pending and expired
The ServPrivacy LowEndTalk thread. Another victim reports the same pattern: crypto received, order pending, no way to contact support.

Source: LowEndTalk.com

The payment trap confirmed

The mechanism is the same one I described in Part 1's payment trap analysis: deposit crypto, invoice "expires" despite on-chain confirmation, balance never credited, support locked, no refunds possible.

This is not a theory. This is a documented user experience from someone who deposited Monero into NoKYCVPS, a site built by the same operator, from the same template, registered two days before NordBastion.

The "support locked after failed payment" detail is the cruelest part. The operator's own support system is designed to lock you out the moment you have a problem with a payment. You cannot ask why your payment was not credited. You cannot request a refund. You cannot reach a human. The system is engineered so that the moment you have a complaint, you lose your ability to complain.

LowEndTalk thread documenting the cryptoservers.io scam, including transaction hashes and the final Njalla domain suspension
The cryptoservers.io LowEndTalk thread. The final update confirms Njalla suspended the domain after community reports.

Source: LowEndTalk.com

What I cannot tell you

I do not know how many people have already sent crypto to these sites. The LowEndTalk threads confirm at least 4 victims across cryptoservers.io and NoKYCVPS, with documented transaction hashes totaling over $200 in XMR alone. Given that NordBastion, ServPrivate, BitVPS, and VPSCrypto are all still active and all using the same deposit model, the real total is likely much higher. Most victims do not post on forums.

I do not know if there are more sites in the network that I have not found. The seven hosting domains, two review sites, and one swap service I identified may be the full set, or they may be the ones I found. The operator's response to suspension is to register new domains. servprivacy.com became servprivate.com. cryptoservers.io will likely reappear under a new name. The template is clearly reusable.

Bottom line: the fake review network

A real reputation is earned across forums, Reddit threads, HN comments, and years of operational history. NordBastion has none of that. What it has is two websites that appeared the same afternoon to tell you it is trustworthy.

The fake review network is the most sophisticated part of this scam. It is not enough to build a fake host. You have to build a fake reputation to go with it. And the operator did, complete with methodology pages, rubrics, KYC tiers, and just enough real reviews to camouflage the fake ones.

In the next part of this series, I cover the most alarming discovery: how this network is specifically engineered to be recommended by ChatGPT and other AI agents.

This article is consumer-protection and security reporting based on publicly available evidence, on-chain transaction data, public corporate registries, and independent technical analysis. Screenshots of third-party sites are used for news reporting and criticism under fair use. Sources are attributed inline. If you are a party mentioned in this article and believe a factual statement is inaccurate, contact [email protected] with specific corrections and supporting evidence.

Were you recommended a host by a review site?

Send me the URL of the review site and the host it recommended. I will check whether the review site is real, whether the host has verifiable history, and whether it is safe to deposit. Flat $99 Tech Care Audit, no call required.

Start a Tech Care Audit →

Want to check it yourself first? Get the 12-point verification checklist free.