This post, intended for this site, originally appeared on my blog due to a crippling DDoS attack. Please check for updates on Rosneft at the end of this post. It’s been a busy week. While speaking with a source in Caracas last Monday, I noticed this site wasn’t functioning. I asked my web hosting provider (thanks to the excellent people at LeaseWeb) and was informed that another DDoS attack had been launched against us. This is the third time my websites have faced a DDoS attack: once on vcrisis.com and twice on infodio.com.
I can’t help but wonder about the reasons behind this. Why would someone try to prevent the general public from accessing the content I publish here? Is it because we expose the rampant corruption in Venezuela? For those who are not aware of the situation, Venezuela is a Spanish-speaking country with around 30 million people. After 17 years of Chavismo, it has become a failed nation in the broader sense. However, this site isn’t aimed at a Venezuelan audience. It aims to inform the world about who’s who in the Boliburguesía, a new class of extremely wealthy and equally incompetent ‘businessmen’ who only emerged under the shadow of the so-called socialist revolution of Hugo Chávez. We talk about people like Alejandro Betancourt, Juan Carlos Escotet, Victor Vargas, and Luis Obertos… uncovering the origins of their newly found wealth, tracking their operations across different jurisdictions, and exposing those who enable, assist, and instigate, like Adam Kaufmann and Glenn Simpson, Al Cárdenas, or even Baltazar Garzón. We shine a light on their dealings in Africa, Europe, Russia, Asia, revealing their opaque underworld.
It’s to be expected that such work would draw the ire of nasty and cunning bullies (dirty money is welcomed by everyone everywhere these days). Dealing with these individuals exposes us to very dangerous vendettas. They operate in a world without borders or immigration barriers. They jet around the globe, one day dining with Heston Blumenthal, the next partying in St. Barths with Roman Abramovich, and the third meeting with former WSJ hackers, ex-Manhattan prosecutors, and leaders of the Republican Party in the United States, when they’re not frolicking with the crème de la crème of Sloanes in London. Their reach knows no limits. An operation in London can easily be organized from Caracas, with no fear of being caught. That’s the kind of players this site deals with.
Recently, the source of the attack came from Russia, or more specifically, an IP address controlled from Russia (191.96.249.70). A vulnerability in the WordPress blogging platform allows the pingback method to launch DDoS attacks (explained here). Basically, someone is exploiting that vulnerability to ping a target website. Upon reviewing my server logs, I noticed the following pattern:
«GET/HTTP/1.1» 200 32295 «http://infodio.com/» «WordPress/4.7.2; https://www.customescaperoom.com; verifying pingback from 191.96.249.70»
«GET/HTTP/1.1» 200 32293 «http://infodio.com/» «WordPress/4.6.3; http://www.toptasting.com; verifying pingback from 191.96.249.70»
«GET/HTTP/1.0» 200 145833 «-» «WordPress/4.0.15; http://wisecleaner.online; verifying pingback from 191.96.249.70»
When such requests are repeated thousands of times per second, servers tend to collapse under the influx of traffic, as happened to mine. Thousands of requests like these, as well as POST and HEAD requests, were fired from servers around the globe.
However, the IP 191.96.249.70, like all others, is associated with a hosting provider, in this case, DMZHOST.CO. This domain, like others, is registered to an individual somewhere, in this case Christian P, with an address in Seychelles that closely resembles that of Mossack Fonseca (Oliaji Trade Centre, Francis Rachel Street, Victoria Mahe, Seychelles).
Every domain must have a responsible individual or organization behind it. Initially, DMZHOST.CO was listed under Dmzhost Limited, but it seems control has passed to JUPITER 25 LIMITED. A search for Jupiter brings us home to 35 Firs Avenue, N11 3NE, London, UK. Note the last link, which provides a [email protected] as a contact for Jupiter. Could this be the same person as Christian P in Seychelles?
There are hundreds of companies registered at 35 Firs Avenue. According to Companies House data, Darren Symes is the director of Jupiter and is associated with over 200 companies. Others investigating similar attacks have said this about DMZHOST in the recent past:
Providers of “bulletproof hosting” like DMZHOST offer VPS that are advertised as out of reach of Western law enforcement. DMZHOST provides customers with offshore VPS in a “secure privacy bunker data center in Holland” and “does not store any information/logs about user activity.” At the same time, their terms of service are equally succinct. “DMZHOST does not allow anything (related) to the following content: – DDoS – Childporn – Banking exploitation – Terrorism – NO NTP – NO email SPAM.”
Further investigation of IP 191.96.249.70 and Jupiter 25 Limited indicates that their DNS servers are controlled by another London-based company: Host1Plus. This appears to be a trade name for Digital Energy Technologies Ltd.
Bitcoin payments, which hide the identity of the ultimate culprits, are easily accepted by both DMZHOST and Host1Plus. I tweeted to Vincentas Grinius from Host1Plus, who responded in the most ridiculous way to avoid addressing the actual DDoS question.
I also emailed [email protected] and received an almost immediate response,* requesting records. Chris emails from somewhere in Pavia, Italy (93-36-187-144.ip61.fastwebnet.it). He claims that the server used for the DDoS attack “has been shut down,” but refuses to say who used the server, who hired their services, how they were paid, and declines to provide his full identity or that of his clients. If he is ever fully identified and provides proper explanations regarding the use of his platform for launching DDoS attacks on this site,* I will add his comments here. minutes later, I was bombarded by a deluge of spam (see below) that began after my third email to Chris. So, the server “has been shut down” well, but the attack has transformed…
Although it hasn’t all been bad. Just after Brian Krebs suffered the largest DDoS attack in history, I remember reading how Google had come to the rescue. Through Twitter, I contacted Nicholas Platt, digital media producer at Jigsaw, a tech incubator of Alphabet (Google’s parent company). When the DDoS attack started, I managed to get an invitation to join Project Shield, which is Google’s platform that defeated Krebs’ attackers. I will be eternally grateful for this act of kindness, and to Ashish at Project Shield for guiding me through the correct setup. The folks at LeaseWeb, my web hosting provider, also deserve my public gratitude: instead of kicking me out – after all, the attack caused many disruptions and hours of work to resolve – Tom, Reece, and Bagata kept calm and were tremendously helpful.
Virtual thieves are becoming more brazen by the day, although I seriously doubt they will ever reach the computational power levels of Google. The upside is that, due to the last DDoS attack, no amount of stolen Venezuelan money will be able to disconnect this site again. It remains to be seen which of the normally exposed bullies here is behind the latest attack, though we will continue investigating, reporting, and shedding light on the corruption and boliburguesía. The latest findings expose the no-bid contracts awarded to Derwick, the shady deals of Charles Henry de Beaumont with Oberto and other bullies in the Caribbean, the direct links between corrupt chavistas and their preferred contractors, etc.
* Just after confronting [email protected] this afternoon, the DDoS attack was relaunched against infodio.com, with the added benefit of a massive spam avalanche in my inbox. Chris claims that neither he nor his company were behind the DDoS attack and added that “I could help you mitigate ALL attacks. We have experience in mitigating attacks as we also receive many attacks”… (sic)
Subsequent investigations indicate that Chris’s representative in the UK, Darren Symes, has had a colorful past involving other scammers grouped in Claremont Partnerships and Noble Rock Partners.
UPDATE 25.02.2017 13:38 GMT: My server logs provide more clues about the nature of the attack. Project Shield visits began yesterday morning:
104.196.28.249 – – [24/feb/2017:10:26:29 +0100] «GET / HTTP/1.1» 200 146265 «-» «Mozilla/5.0 (compatible; ProjectShield-UrlCheck; +http://g. co/proyectoescudo)»
This continued more or less uninterrupted until the afternoon and was combined with the crawling from Google bots, etc.:
35.184.90.184 – – [24/feb/2017:14:24:36 +0100] «GET/HTTP/1.1» 200 146265 «-» «Mozilla/5.0 (compatible; ProjectShield-UrlCheck; +http://g. co/proyectoescudo)»
Then this happened:
104.155.70.96 – – [24/feb/2017:14:26:09 +0100] «GET/HTTP/1.1» 200 145833 «-» «WordPress/4.4.2; http://jazzjackrabbit.org; verifying pingback from 191.96.249.54»
104.199.6.69 – – [24/feb/2017:14:26:09 +0100] «GET / HTTP/1.1» 200 32299 «http://infodio.com/» «WordPress/4.7.2; https:// www.virtualsunburn.com; verifying pingback from 191.96.249.54»
104.199.61.249 – – [24/feb/2017:14:26:09 +0100] «GET/HTTP/1.1» 200 32299 «http://infodio.com/» «WordPress/4.6; http://pironsecurity. com; verifying pingback from 191.96.249.54»
At 14:24, [email protected] sent an email saying:
«Don’t threaten as, to be clear, we are not the ones launching the attack. And we have taken immediate action to suspend the server, so legally speaking, we are totally fine». (sic)
About two minutes passed between their “legally speaking, we are totally fine” and the restarting of the DDoS and more spam avalanche. However, the IP had changed, from the previous 191.96.249.70 to 191.96.249.54, both controlled by their company DMZHOST.
Email headers suggest that their mail server (mail.ru) is located in a GMT +0300 timezone (Russia) and then routed through Fastweb in Italy. Their browser seems set to Italian and visited some of my sites from a Fastweb server almost simultaneously.
I emailed [email protected], however, I have little expectation of receiving a direct and suitable response. Added: I finally received a response from mail.ru, stating that [email protected] is not a registered user, despite evidence to the contrary in the email header.
Spam in my inbox continues seriously: [email protected] didn’t respond to my latest email, I assume they didn’t appreciate my confrontation with them and the details in this post. Added: two responses finally arrived in my inbox over the weekend, one from the regular @dmzhost.co address and another from [email protected]. I contacted abuse at protonmail, to try to corroborate the IP location from where the inbox is accessed, but I haven’t received a response. Finally, revealing their involvement, Chris wrote:
IF YOU ARE RECEIVING THIS EMAIL IT IS BECAUSE WE CANNOT REACH YOU FROM OUR MAIN EMAIL. Please provide another email that is not being spammed… or a Skype account.
The DDoS attacks targeting the site continued to paralyze functionality and access, with five interruptions in the last seven days. Attempts to hack the site are still ongoing…
Google’s Project Shield (protecting my site) is also shielding this guy who’s exposing the looters of Venezuela https://t.co/GndJyeqSFT
— Briankrebs (@briankrebs) February 28, 2017
UPDATE 01.03.2017 07:46 GMT: Looking at the latitude and longitude details of the attacking IP addresses 191.96.249.70 and 191.96.249.54 on Google Maps, I noticed the location of Rosneft’s headquarters. Further investigations reveal that Rosneft.ru has exactly the same latitude and longitude details as the IP addresses from which the DDoS attacks were launched against my site. Considering the chavismo’s connections with ‘state’ Russian companies, is it not an extraordinary coincidence?