I Found a Crypto Hosting Scam Built by AI
How a 55-day-old domain fooled two review sites, borrowed an Israeli company's ASN, and built a fake API to look real.
Source: NordBastion.com
TL;DR
- NordBastion.com claims to be a Nordic privacy host since 2024. The domain is 55 days old.
- The ASN they display belongs to an Israeli cybersecurity company. The API returns HTML, not JSON.
- Once you send crypto, support is gated behind a payment that can silently fail. No chargeback path.
- Do not deposit. Use Njalla, Bahnhof, 1984, FlokiNET, or SporeStack instead.
NordBastion reads like a site built to look trustworthy before it was built to be useful. I spend a lot of time around AI systems, and after a while the pattern gets hard to miss. When every page lands with the same tone, every trust signal shows up on cue, and every objection is already answered, you are not looking at something that grew over time. You are looking at generated copy.
This is the version I would want in front of a friend before they deposited anything.
The short version: a 55-day-old crypto hosting scam
Evaluating a no-KYC host right now? Send me the URL. I will run the same 12-point check from this investigation and tell you whether it is safe to deposit. Flat $99 Tech Care Audit, no call needed. Start here →
NordBastion is a website that did not exist before May 13, 2026. It claims to be a Nordic hosting provider operating since 2024, with 8,756 customers, a 12-month transparency record, monthly warrant canary affirmations back to February 2026, 90 days of uptime data, a REST API, an MCP server, SDKs in four languages, and 73 customer reviews.
That set of claims does not survive even a basic check. The domain is 55 days old. The ASN they display belongs to an Israeli cybersecurity company. The API endpoints return HTML instead of JSON. The review sites that gave them 8.6 out of 10 were registered the same day, an hour apart. And once you send them crypto, you cannot reach support until the payment clears, which can time out.
It is a scam dressed up as a principled privacy host.
The manipulation architecture
What makes NordBastion dangerous is not any single lie. It is the stack of small lies, each one propping up the next, so a careful buyer checks two or three things and walks away reassured instead of alarmed. Here is how it works.
The moral framing
The entire site is built around a doctrine. Six non-negotiable tenets, a transparency report, a warrant canary, a PGP key, a published privacy philosophy. This is the hook for the target audience: people who care about privacy, who have been burned by KYC-requiring hosts, who want to believe someone is finally doing it right.
The moral framing is clever because it makes skepticism feel cynical. If you question NordBastion, you are supposed to feel like you are questioning privacy hosting itself. That is not a product feature. It is a manipulation technique. A real privacy host earns trust over years. This one wants it on page one.
The pre-answered objections
Every doubt a privacy-conscious buyer would have is answered before they finish forming it:
- "Is KYC-free just marketing?" No, it is structural. (It is not. It is just a signup form.)
- "Can you be compelled to hand over my data?" We hold as little as possible. (Conveniently unverifiable.)
- "What if the warrant canary stops updating?" Treat the network as compromised. (It cannot be compromised because it does not exist.)
- "Are these reviews real?" No purchased reviews, ever. (The reviews are fabricated, but the disclaimer makes you trust them more.)
This is a textbook persuasion structure: name the objection, answer it confidently, move on. By the time you have read the FAQ, you feel like every base is covered. That feeling is the product. The servers are not.
A real privacy host earns trust over years. This one demands it on page one.
The fabricated history
This is where the construction gets sloppy, because AI can generate copy but it cannot generate time. The site is full of temporal impossibilities:
| Claim | Reality |
|---|---|
| "Garrison since 2024" | Domain registered May 13, 2026. First Wayback snapshot May 20, 2026. |
| Transparency report: "8,756 customers", "rolling 12-month window" | Site is 55 days old. No 12-month window exists. |
| Warrant canary affirmations: Feb, Mar, Apr, May, Jun, Jul 2026 | Domain did not exist until May. Feb, Mar, Apr are fabricated. |
| Status page: "90-day uptime" for all four bastions | Cannot have 90 days of data on a 55-day-old domain. |
| 73 customer reviews, all dated May 2026 | One review claims "6 weeks" of uptime, impossible for a service that launched mid-May. |
| skipkyc.com review "Published May 15, 2026" | nordbastion.com registered May 13. A full rubric-based review published two days after the domain existed. |
An LLM can happily fill in plausible history without noticing it is contradicting the registration date. That is the tell.
The technical theater: a fake REST API and borrowed ASN
The site claims a REST API (v1), SDKs in Python, TypeScript, Go, and Rust, an nb CLI, an MCP server, and publishes two well-known endpoints to prove it:
/.well-known/openapi.json/.well-known/mcp/server-card.json
I fetched both. They return the homepage HTML, not JSON. The /v1 endpoint returns 404. The API does not exist. The SDKs do not exist. The CLI does not exist. These are props, URLs placed in the sitemap and footer so that a technical buyer sees them and assumes the engineering is real.
The looking glass is the same pattern: a real-looking form with bastion selectors (STO, HEL, OSL, RKV), tool selectors (ping, traceroute, MTR), and a target field. It does not run anything. It is a static form that says "Pick a bastion and a tool, enter a target, run the query" and never returns a result. A real looking glass hits a backend. This one hits nothing.
The ASN displayed in every footer, AS213232, belongs to Radware Ltd, an Israeli cybersecurity company in Tel Aviv. NordBastion is displaying someone else's ASN as proof of their network. Either they scraped it from a reference site and did not notice, or they chose it because Radware is a real DDoS-mitigation company and the number looks credible to a buyer who checks. Either way, it is not their network.
The payment trap: irreversible crypto, gated support
Here is the mechanism that makes this a scam rather than just a misleading website.
NordBastion uses a prepaid crypto balance model. You deposit Bitcoin, Monero, Ethereum, USDT, or any of 12 coins into a custodial balance. Your servers draw down from that balance as they run. There is no card, no wire, no KYC, and, critically, no chargeback path. Crypto sent is crypto gone.
Now add the detail that confirmed it for me: you cannot access support until they receive your money, and the payment can time out.
Read that again. The support channel, the only way to reach a human, since there is no published support email and all contact goes through the authenticated panel, is gated behind a payment that can fail silently. So the flow is:
- You create an account (email and password, no KYC, feels great).
- You initiate a crypto deposit to top up your balance.
- The deposit either confirms and credits, or it times out.
- If it times out, you have no balance, no panel access to support, and no way to ask what happened.
- If it confirms, your balance is now custodial crypto held by an operator whose identity is hidden behind a PrivacyGuardian.org proxy in Arizona, whose company registration in Estonia I could not verify, and whose ASN is borrowed from an Israeli firm.
There is no scenario where you have leverage. Before payment, you cannot reach anyone. After payment, your money is already gone and the only recourse is a support ticket inside a system the operator controls.
Before payment, you cannot reach anyone. After payment, your money is already gone.
A legitimate host lets you open a ticket before you pay. A legitimate host has a support email. A legitimate host does not gate human contact behind a crypto transfer that can silently fail.
The AI-generation tells: how I identified the scam
I work with AI systems. Here is what tells me this site was generated, not written.
Uniform voice across 130 pages. Every page (glossary entries, legal terms, use-case guides, comparison pages, FAQ) hits the same cadence: short declarative sentences, a numbered structure, a "still unsure? the garrison is on watch" closer. Human teams do not write 130 pages in one voice. LLMs do, in an afternoon.
14 languages, all fluent. Real companies localize into 2 or 3 languages well and the rest badly. NordBastion has 14 languages (English, Russian, Chinese, Spanish, French, German, Portuguese, Arabic, Japanese, Korean, Hindi, Indonesian, Italian, Turkish) all at the same quality. That is not a translation team. That is an LLM with a language parameter.
Programmatic SEO at scale. 16 competitor comparison pages, 6 "alternative to" pages, 13 crypto-specific landing pages, 5 OS-specific pages, 8 city/country pages, 17 glossary terms, 13 guides. This is a content template filled 130 times. A real new host has a homepage, a pricing page, and maybe a blog. They do not launch with a 1,677-URL programmatic SEO matrix in 14 languages on day one.
Reviews that sound like prompts. "Worth every penny." "Easy to use." "API integration smooth." These are the reviews an LLM writes when asked to generate plausible customer feedback. Real reviews are messy, specific, and inconsistent. These are clean, varied across just enough star ratings to look real (3/5, 4/5, 5/5), and all dated to the launch month.
What a real privacy host looks like
For contrast, the providers NordBastion compares itself to, the ones with verifiable histories (and see our guide to choosing the right web host):
- Njalla (Sweden, founded 2014 by Peter Sunde. Years of forum history, Tor onion mirror, OTR/XMPP contact. Verifiable.)
- Bahnhof (Sweden, founded 1994. Operates the Pionen nuclear-bunker datacentre. Hosted WikiLeaks since 2010. Verifiable.)
- 1984 Hosting (Iceland, founded 2006. ISO 27001, 100% green energy. Verifiable.)
- FlokiNET (Multi-jurisdiction: Iceland, Romania, Finland, Netherlands. Whistleblower-focused. Verifiable.)
- SporeStack (Accountless, API-first, since 2017. Open source. Verifiable.)
Every one of these has years of public history, real community discussion, and infrastructure you can probe. NordBastion has none of that. What it has is a website that says it has all of that, generated in May 2026, reviewed by two websites registered the same afternoon.
What I could not verify
I want to be honest about the limits of this investigation.
- NordBastion Oü: I could not confirm or deny the Estonian registration. The Estonian e-Business Register is JavaScript-gated and I could not query it programmatically. It is plausible that a shell Oü was registered, but registration alone proves nothing about infrastructure.
- The PGP key: The fingerprint (Ed25519, B9BB 3413 6FDC C3DA 8356 50C8 1A32 1442 3855 B282) may be real and may verify against the warrant canary signature. But a self-signed PGP key proves only that someone generated a keypair, not that they operate servers.
- Infrastructure: I could not independently verify whether any servers exist in Stockholm, Helsinki, Oslo, or Reykjavik. The looking glass does not function, the ASN is misappropriated, and the status page shows 90 days of data on a 55-day-old domain. The most likely explanation is that no infrastructure exists, but I cannot prove the negative.
Even if you give NordBastion every benefit of the doubt, the fabricated history, the fake review network, the non-functional API, and the payment-gated support are enough to rule it out as a trustworthy provider.
Bottom line: do not deposit
NordBastion is an AI-shaped fraud aimed at people who care about privacy and do not want to hand over ID. It uses moral framing to make skepticism feel cynical, pre-answered objections to close off doubts before they form, a fake review ecosystem to manufacture credibility, fabricated history that contradicts the domain's actual age, technical theater to look engineered, and a payment trap that gates support behind a crypto transfer that can silently fail.
The operator's identity is hidden behind a privacy proxy. The company registration is unverifiable. The infrastructure is unprovable. And once you send crypto, there is no path to recovery.
Do not send cryptocurrency to NordBastion. If you need KYC-free Nordic hosting, use Njalla, Bahnhof, 1984, FlokiNET, or SporeStack, providers with years of verifiable history and real community presence.
This is the first article in a four-part series. In the next part I break down the fake review network that vouched for NordBastion: The Fake Review Network Behind NordBastion.
This article is consumer-protection and security reporting based on publicly available evidence, on-chain transaction data, public corporate registries, and independent technical analysis. Screenshots of third-party sites are used for news reporting and criticism under fair use. Sources are attributed inline. If you are a party mentioned in this article and believe a factual statement is inaccurate, contact [email protected] with specific corrections and supporting evidence.
Not sure if a host is real? I will check it for you.
Send me the URL of any no-KYC VPS provider you are considering. I will run the same verification checks I used in this investigation: domain age, ASN ownership, API behavior, review-site provenance. Flat $99 Tech Care Audit, no call required.
Want the checklist first? Get the 12-point hosting verification checklist free, emailed to you.