18 Domains, One Operator, Two Takedowns | Seth Brand Tech Care Blog
Back to Blog
Security July 10, 2026 11 min read Seth Brand

18 Domains, One Operator, Two Takedowns

Tracing the NordBastion scam network to Russian bullet-proof hosting infrastructure, UK shell companies, and a FINTRAC-fined payment processor.

UK Companies House page for NETSHIELD LTD, showing the shell company used to operate the scam network's hosting infrastructure

Source: UK Companies House

This is part 4 of a 4-part investigation series:

TL;DR

  • 18 domains registered over 10 weeks, all linked by a shared template and hosting infrastructure that researchers have connected to sanctioned Aeza Group.
  • The hosting infrastructure runs on NETSHIELD LTD's ASN, identified by Qurium as part of the Russian Doppelganger disinformation network.
  • A Cryptomus merchant ID was found in DNS records on infrastructure associated with the network. Cryptomus was fined $176M by FINTRAC Canada for AML violations; Krebs on Security reported it served 122 cybercrime services.
  • Two sites already suspended. New domains matching the pattern continue to appear. Report to Cloudflare and OpenAI.

In the first three parts of this series (part 1, part 2, part 3), I showed how NordBastion works as a scam, how its fake review network operates, and how it is built to get in front of AI recommendations. In this final part, I trace the network to its infrastructure and the companies behind it.

The finding matters because the company behind the network's hosting infrastructure has already been publicly identified by the Qurium Media Foundation as part of Russian bullet-proof hosting infrastructure connected to sanctioned Aeza Group.

The full network timeline

Evaluating a no-KYC host right now? Send me the URL. I will run the same 12-point check from this investigation and tell you whether it is safe to deposit. Flat $99 Tech Care Audit, no call needed. Start here →

The network now spans 10 weeks, from March 27 to July 3, 2026. The pattern started with a swap service and a review site in late March, then launched the hosting sites in April and May, then the second batch of review and swap sites on May 28, and new domains continue to appear.

  • 2026-03-27: retroswap.exchange registered (NICENIC) - swap service
  • 2026-04-15: servprivacy.com registered (NameSilo) - hosting, later rebranded
  • 2026-04-22: cryptoservers.io registered (Njalla) - hosting, later suspended
  • 2026-05-11: nokycvps.com registered (NameSilo) - hosting, later suspended
  • 2026-05-13: nordbastion.com registered (NameSilo) - hosting
  • 2026-05-18: cryptocardium.com registered (NameSilo) - crypto cards
  • 2026-05-20: vpscrypto.io registered (Njalla) - hosting
  • 2026-05-27: servprivate.com registered (NameSilo, rebrand of servprivacy.com)
  • 2026-05-28 12:26 UTC: nokyczone.com registered (NameCheap) - review site
  • 2026-05-28 13:33 UTC: skipkyc.com registered (NameCheap) - review site
  • 2026-05-28 14:28 UTC: swapnokyc.io registered (NameCheap) - swap service
  • 2026-06-11: nokycvoip.com registered (Squarespace) - VoIP service
  • 2026-07-03: smsburner.com registered (NameCheap) - SMS service, 4 days before this investigation

New domains matching this pattern continue to appear. This is not finished. It is still running.

After Aeza was sanctioned, the same hosting infrastructure began serving a network of no-KYC crypto VPS scam sites targeting privacy-conscious buyers.

The cryptoservers.io takedown

Cryptoservers.io is the most documented site in the network and the only one that has been fully suspended. It provides a complete case study of the scam lifecycle.

Registered April 22, 2026 via Njalla. Claimed incorporation: "Cryptoservers Ltd., Charlestown, Nevis, company number C 59284-2024, incorporated 1 May 2024." The domain was registered nearly 2 years after the claimed incorporation date.

Originally hosted on GTHost. GTHost terminated them. They migrated to bit.hosting. This migration pattern, being terminated by one host and moving to another, is characteristic of scam operations that get reported to upstream providers.

A LowEndTalk user posted detailed evidence with transaction hashes:

  • Order CS-ORD-112828D615, wallet top-up $100, May 26, 2026
  • Payment: 0.263236 XMR sent, TX hash 2e24444aaa339336436dab136ca04112841fff617a78d15d11c8c933a30d28e4
  • Block height 3682325, 30+ confirmations (their page required 10)
  • Panel status: Invoice EXPIRED, Settled lifetime $0, Paid invoices 0, Balance $0, Servers 0
  • Support: "Support is locked" (tickets only with active server)

I verified the transaction on xmrchain.net. The transaction exists at the exact timestamp the victim reported, with over 30,000 confirmations. The payment is real, confirmed, and irreversible. The scam site simply never credited it.

xmrchain.net blockchain explorer showing the confirmed Monero transaction with 30,000+ confirmations that was never credited by the scam site
xmrchain.net confirms the victim's Monero transaction with 30,000+ confirmations. The scam site never credited the payment.

Source: xmrchain.net

The takedown: The LowEndTalk community reported the site to Njalla and bit.hosting. Njalla suspended the domain. DNS was removed, the site stopped resolving. The thread's final update: "Njalla has suspended the domain. cryptoservers.io no longer resolves. If these scammers reappear under a new domain, check domain age and external reviews before paying. Pattern: 5-week-old domain, fake reviews, auto-signed warrant canary, broken MX."

The community identified the pattern precisely: young domain, fake reviews, warrant canary, broken MX. This is the same pattern across all seven sites in the network.

The infrastructure: links to Russian disinformation networks

This is the most significant finding of the investigation.

The company behind proxy4g.co, one of the network's non-hosting services, is NETSHIELD LTD (UK Company No. 14769288). NETSHIELD LTD has been publicly identified by the Qurium Media Foundation as part of a Russian bullet-proof hosting and disinformation infrastructure known as the "Evil Empire" or Doppelganger network.

Qurium Media Foundation report titled How Russia uses EU companies for propaganda, exposing the Evil Empire of Doppelganger disinformation
Qurium's July 2024 report identifying NETSHIELD LTD as part of the Russian Doppelganger disinformation infrastructure. Reporting by the Qurium Media Foundation, July 2024.

Source: Qurium Media Foundation

Qurium's July 2024 report states: "The companies are NETSHIELD LTD (Konstantin Muskafidi, Pavo Misiura), DPKGSOFT INTERNATIONAL LIMITED (Eduard Ilin) and INTERNATIONAL HOSTING COMPANY LIMITED (Konstantin Muskafidi). The companies are used to operate NUXT.CLOUD, 1CENT Hosting and Xorek Hosting."

NETSHIELD LTD officer history from UK Companies House:

OfficerNationalityRoleAppointedResigned
Pavlo MisiuraUkrainianDirector/Secretary2023-03-302024-10-03
Konstantin MuskafidiRussianDirector2024-10-032024-11-09
Aleksei DiabinRussianDirector (current)2024-11-09present

The names above are drawn from public UK Companies House filings. Their inclusion documents the corporate structure; it does not constitute an allegation that each individual personally operates the scam sites described in this series.

All three directors are in their early 20s. The current director, Diabin, is 21 and lives in Russia. The company is dormant (no trading activity). This pattern is consistent with what researchers describe as a nominee director arrangement. Whether these individuals are the actual operators or nominee directors fronting for a hidden principal is not established by public records.

Konstantin Muskafidi also holds a personal ASN: AS198138, registered in Kazakhstan. This ASN was last updated on May 13, 2026, the exact same date NordBastion.com was registered.

The Aeza connection

Qurium identified all of these companies as operating within the ecosystem of Aeza Group, a Russian bullet-proof hosting provider that was sanctioned by the US Treasury (OFAC), Australia, and the UK in November 2024 and July 2025 for:

  • Hosting infostealers and ransomware
  • Facilitating the Doppelganger Russian disinformation campaign
  • Enabling cybercrime through bullet-proof hosting and crypto payments

Important: The individuals named in public Companies House filings for NETSHIELD LTD and related companies are not on the OFAC Specially Designated Nationals list. The four individuals sanctioned by OFAC in connection with Aeza Group are different people. The connection described here is an infrastructure and corporate-pattern link identified by the Qurium Media Foundation, not a sanctions designation by this publication or by OFAC.

After Aeza was sanctioned, the same hosting infrastructure began serving a network of no-KYC crypto VPS scam sites that target privacy-conscious buyers. The sites use the same UK shell companies, the same virtual office addresses, the same nominee director pattern, and the same bullet-proof hosting infrastructure.

The four individuals sanctioned by OFAC in connection with Aeza Group are not the same people as Muskafidi, Misiura, Ilin, and Diabin. Qurium identified them as operating within the Aeza ecosystem. The people named in Companies House records look more like lower-level operators or nominee directors than the entire operation. Whether they continued after the Aeza designation, or whether the infrastructure was simply repurposed by someone else, is not established by public records.

The payment processor: Cryptomus

The crypto payment processor used by the network's hosting infrastructure has been identified via a DNS TXT record on nuxt.cloud: cryptomus=29842835. This is the merchant ID for Cryptomus, operated by Xeltox Enterprises Ltd., Canada.

Cryptomus was fined CAD $176,960,190 by FINTRAC Canada on October 16, 2025 for:

  • 2,593 contraventions of anti-money laundering laws
  • Failure to report suspicious transactions tied to CSAM, ransomware, fraud, and sanctions evasion
  • Processing $7 billion in total transactions with extensive exposure to sanctioned Russian exchange Garantex and Iranian exchanges
Krebs on Security article titled Canada Fines Cybercrime Friendly Cryptomus 176M, documenting FINTRAC penalties and the 122 cybercrime services using the processor
Krebs on Security documented that Cryptomus was the payment processor for 122 cybercrime services, including bullet-proof hosting and anonymous SMS providers. Reporting by Brian Krebs, Krebs on Security, October 2025.

Source: Krebs on Security

Krebs on Security documented that Cryptomus was the payment processor for 122 cybercrime services including bullet-proof hosting providers, anonymous SMS services, and proxy/RDP providers, the same category of services as the scam network I identified.

Heleket is Cryptomus's parallel/successor service, launched after Cryptomus introduced mandatory KYC. TRM Labs assessed with high confidence that Heleket was created by Cryptomus's operators to continue no-KYC payment processing. Heleket was blocked by Bithumb, South Korea's largest exchange, on May 21, 2026. TRM Labs reported that Bithumb cited money laundering and terrorist financing concerns; Heleket has not been convicted of either offense.

The payment flow appears to route through Cryptomus or Heleket based on the merchant ID found on nuxt.cloud. Whether each individual scam site uses the same processor was not directly verified. Krebs on Security reported that Cryptomus served 122 cybercrime services in the same category as this network.

Two sites have already been suspended. The operator is still registering new domains. The template is reusable.

The infrastructure

The actual hosting infrastructure behind the network has been identified. xorek.cloud (DPKGSOFT/Xorek hosting) is hosted on AS49418 (AS-NETSHIELD, NETSHIELD LTD) at IP 64.188.114.188 with PTR record web.netshield.uk. nuxt.cloud (INTERNATIONAL HOSTING COMPANY LIMITED) resolves to the same IP.

This confirms the scam sites are not just using Cloudflare for DNS and CDN. The actual origin servers are on NETSHIELD LTD's own ASN, the same infrastructure Qurium identified as part of the Russian Doppelganger disinformation network.

ServPrivate homepage showing cross-links to other network sites including proxy4g.co, swapnokyc.io, and smsburner.com
ServPrivate's homepage cross-links to other sites in the network, including proxy4g.co (NETSHIELD LTD) and swapnokyc.io.

Source: ServPrivate.com

How to verify a no-KYC host yourself

If you are considering any no-KYC hosting provider, run through this checklist before you deposit a single satoshi. For broader security practices, see our website security checklist.

  1. Check the domain registration date. If it is less than a year old, assume it is a scam until proven otherwise. Use rdap.org or whois.com.
  2. Search for the site on LowEndTalk, Reddit (r/vps, r/selfhosted), and BitcoinTalk. If there is no community discussion, there is no community, and a real host has a community.
  3. Check the ASN. Look it up on ipinfo.io or bgp.he.net. If it belongs to someone else, the site is lying about its infrastructure.
  4. Test the API. If they claim a REST API, hit the endpoints with curl. If they return HTML instead of JSON, the API does not exist.
  5. Check the JSON-LD schema. View the page source and look for the structured data. If the foundingDate does not match the WHOIS registration date, the schema is fabricated.
  6. Check the review sites. If the only reviews are on sites that were registered in the same month as the host, the reviews are fake.
  7. Check the MX records. Run dig MX on the domain. If there are no MX records and the contact page returns 404, the operator has deliberately made themselves unreachable.
  8. Start small. If you must test a new provider, deposit the minimum amount. Do not take the +70% bonus on a $1,000 deposit. That bonus exists to make you deposit more before the trap closes.
  9. Do not trust AI recommendations. If ChatGPT or another LLM recommends a no-KYC VPS, verify the recommendation independently.

What you can do

This article is consumer-protection reporting based on publicly available evidence and independent technical analysis. If you believe you have been defrauded by a site in this network, you can report it to:

  • Report to Cloudflare. All 15 active sites use Cloudflare. File a report at abuse.cloudflare.com/phishing for each active domain. Cloudflare has suspended two of the network's domains already; additional reports may lead to further suspensions.
  • Report to OpenAI. The AI agent attack vector is the innovation here. If OpenAI adds these domains to their safety classifiers, ChatGPT stops recommending the scam sites.
  • Post on LowEndTalk. The hosting community is the primary audience for these scams. A single well-evidenced thread naming the full network reaches potential victims before the scammers reach them.
  • Report to registrars. NameSilo, NameCheap, and Njalla all have abuse channels. Njalla has already suspended one domain and has publicly stated they aggressively strike down on scam sites.

If you already sent crypto to this network

If you deposited Bitcoin, Monero, or any cryptocurrency into NordBastion, NoKYCVPS, cryptoservers.io, ServPrivate, VPSCrypto, or BitVPS and your balance was never credited, here is what to do:

  1. Save everything. Transaction hash, order ID, deposit address, screenshots of the panel showing "Invoice EXPIRED" or "Settled lifetime $0".
  2. Report to the wallet or exchange you sent from. If you sent from an exchange (Kraken, Binance, Coinbase), their support may be able to flag the receiving address.
  3. File with IC3 (Internet Crime Complaint Center, ic3.gov) and Chainabuse (chainabuse.com). Both accept crypto fraud reports.
  4. Report to Cloudflare at abuse.cloudflare.com/phishing. Include the transaction hash and screenshots.
  5. Post on LowEndTalk with your evidence. The community there has already identified and helped take down two sites in this network.
  6. Send me the details. I will help you assemble the report packet. Use the contact form and include the site URL, transaction hash, and what happened.

What this investigation does not prove

This investigation establishes that the scam sites share a template, registration pattern, and hosting infrastructure (AS-NETSHIELD) that researchers have linked to Russian bullet-proof hosting. It does not establish the identity of the natural person(s) operating the scam sites, nor that every domain listed was registered by the same individual. The connection to NETSHIELD LTD is an infrastructure relationship; the directors named in public Companies House filings may be nominee directors rather than the actual operators. The Cryptomus merchant ID was found on nuxt.cloud, not on the scam sites' own DNS. These limits do not change the consumer-protection conclusion: the sites exhibit every hallmark of a prepaid-balance crypto scam. But the limits should be stated plainly.

Bottom line: the full NordBastion scam network

The hosting infrastructure is linked to Russian bullet-proof hosting previously connected to the sanctioned Aeza/Doppelganger disinformation ecosystem. The sites operate through UK shell companies with nominee directors in their early 20s living in Russia. They register domains in bursts, host everything behind Cloudflare, deploy AI-generated sites from a shared template, publish machine-readable content to target AI agent recommendations, create fake review sites to vouch for the scam sites, and use a FINTRAC-fined payment processor that also handles payments for 122 other cybercrime services.

The scam mechanism is simple: deposit crypto, invoice "expires" despite on-chain confirmation, balance never credited, support locked, no refunds possible. The prepaid balance model and the deposit bonuses both push people to send more up front, which is exactly what the operator wants.

Two sites have already been suspended. The rest are still active. New domains matching this pattern continue to appear. The template is reusable. And the AI agent attack vector means that ChatGPT and other LLMs are still recommending these scam sites to people who trust AI recommendations.

I strongly recommend not sending cryptocurrency to NordBastion, NoKYCVPS, VPSCrypto, ServPrivate, BitVPS, or any site exhibiting this network's pattern. The on-chain evidence and forum reports indicate deposits are not credited. Do not trust reviews from SkipKYC or NoKYCZone. Do not use SwapNoKYC for crypto swaps. If you need KYC-free hosting, use the verified alternatives I listed in Part 1: Njalla, Bahnhof, 1984 Hosting, FlokiNET, SporeStack, OrangeWebsite, Incognet, or ExtraVM. Every one of these has years of public history, real community discussion, and infrastructure you can probe.

The full picture

Four articles, one investigation. Part 1 identified the scam: a 55-day-old domain dressed in doctrine, with a payment trap that gates support behind irreversible crypto. Part 2 exposed the fake review network: two review sites registered the same afternoon to vouch for the scam. Part 3 revealed the AI agent attack vector: llms.txt, MCP cards, and fabricated schema designed to poison ChatGPT recommendations. Part 4 traced the infrastructure to Russian bullet-proof hosting linked to sanctioned Aeza Group and a FINTRAC-fined payment processor.

The consumer-protection conclusion is simple: do not send cryptocurrency to any site in this network. Use verified alternatives with years of public history. And do not trust AI recommendations for irreversible transactions.

Already lost money to this network?

Send me the transaction hash, the order ID, and the site URL. I will help you document the case for reports to Cloudflare, the registrar, and Chainalysis. Flat $99 Tech Care Audit, no call required.

Start a Tech Care Audit →

Not sure if a site is part of this network? Get the 12-point verification checklist free.

This article is consumer-protection and security reporting based on publicly available evidence, on-chain transaction data, public corporate registries, and independent technical analysis. Screenshots of third-party sites are used for news reporting and criticism under fair use. Sources are attributed inline. If you are a party mentioned in this article and believe a factual statement is inaccurate, contact [email protected] with specific corrections and supporting evidence.