I've seen the other side of this. Our SaaS (a data API) has a number of "customers" who attempt to use us (or our competitors; we're not special here) to power some data displays on their phishing-scam websites, to make them seem more legitimate.
We ban these people — they're violating our ToU by engaging in illegal activities. But they come back. With different names, different IPs, different browsers, different credit cards. They have complete identities to burn. (We spot the correlations anyway, along other dimensions I won't disclose here, and so can keep them out pretty effectively.)
And guess what? Very often, their requests are coming from Hetzner IP blocks.
I don't think the scammers have a direct business relationship with Hetzner, mind you. I think Hetzner tries just as hard as we do to stop these people from making use of their services. But I believe that these Hetzner boxes are either set up as exit nodes of one or more common VPN providers; or they're being registered for other purposes by other parties, and then resold on the secondary market on dark-web forums.
If I were a VPS provider, and I didn't want to support illegal activity, I'd probably just give up on providing service to individuals altogether, only taking corporate customers; and even then, requiring a DUNS number or something as an additional proof-of-work for that corporation, so that people can't just keep spinning up corporations in places where that's essentially free.
Hetzner hasn't gone that far; but it makes sense to me that if a user account is flagged as needing extended verification, and the ops person responsible for verifying the account takes a look at the user-lifecycle activity logs for the user, and sees that this user has: their IP coming from multiple places during registration vs login, their browser locale and timezone bouncing around between requests and set for settings uncommon to the country their IP is originating from, etc. — that the answer would be "ban" rather than "ask the user why the heck that's happening."
One time out of ten, the user is a real person doing something weird. The other nine times out of ten, the user is a scammer and is going to make up some story about being a real person doing something weird. Every scammer has their very own pool of man-hours, and if you're in the critical path for their scam, they can burn a number of those man-hours being really insistent that they're authentic. Until you let them in, and see that they immediately start up the same dumb phishing-scam bot script that all the other scammers purchased.
We crawl through data like this professionally and from what we see, Hetzner isn't actually that bad at combating fraud. They are not GCP or AWS but there are other hosters of similar scale that have significantly worse response times and leave up clearly compromised machines for a lot longer.
I cannot really comment on this because its A) a multi-dimensional problem (Hosters like Oracle have slightly longer mean removal time than Hetzner but less of their IPs end up in our aggregated blocklist, so does that make them worse or better idk) and B) we're trying to coax at least some of these hosters into using our service to support their fraud team so its probably best not to call out potential customers ;)
It’s likely they’re just using hacked sites. I’ve seen a WordPress site used as a Viagra botnet. The owner of the business thought it was good for them because they would get more traffic so they had given the other party root access. :sigh: the shit you see as a contractor…
But I’d be willing to bet you’re seeing hacked servers, not necessarily Hetzner’s fault. Hell, they didn’t even have ipv6 firewalls until recently (like the last six months).
I have pretty good reason to believe that scammers are using purchased Hetzner credentials — which is that some scammers are just right out there in the open, talking about how they do what they do: https://teletype.in/@slivmens/LjPaei8pMTT
Translated quote:
> To do this, we go here: [link to carding forum] and create a topic in the section "verified Hetzner accounts."
> Offer price — no more than 400 rubles is needed. The priority is people from Ukraine, as they have benefits. GEO of the person who verifies the account - any, excluding Russia due to sanctions.
> Another important detail: the seller must register a fresh GMail account, use that account to create an account on Hetzner, and verify it themselves.
> After verification, we wait 3 days before the creation of the new server — otherwise the likelihood of the account being blocked for abuse increases.
> After purchasing the account credentials, we change the password, both on the Gmail account, and on the Hetzner account.
Are you implying that someone (possibly temporarily) living in another country than where they're from means the sensible course of action is to instantly ban them?
We ban these people — they're violating our ToU by engaging in illegal activities. But they come back. With different names, different IPs, different browsers, different credit cards. They have complete identities to burn. (We spot the correlations anyway, along other dimensions I won't disclose here, and so can keep them out pretty effectively.)
And guess what? Very often, their requests are coming from Hetzner IP blocks.
I don't think the scammers have a direct business relationship with Hetzner, mind you. I think Hetzner tries just as hard as we do to stop these people from making use of their services. But I believe that these Hetzner boxes are either set up as exit nodes of one or more common VPN providers; or they're being registered for other purposes by other parties, and then resold on the secondary market on dark-web forums.
If I were a VPS provider, and I didn't want to support illegal activity, I'd probably just give up on providing service to individuals altogether, only taking corporate customers; and even then, requiring a DUNS number or something as an additional proof-of-work for that corporation, so that people can't just keep spinning up corporations in places where that's essentially free.
Hetzner hasn't gone that far; but it makes sense to me that if a user account is flagged as needing extended verification, and the ops person responsible for verifying the account takes a look at the user-lifecycle activity logs for the user, and sees that this user has: their IP coming from multiple places during registration vs login, their browser locale and timezone bouncing around between requests and set for settings uncommon to the country their IP is originating from, etc. — that the answer would be "ban" rather than "ask the user why the heck that's happening."
One time out of ten, the user is a real person doing something weird. The other nine times out of ten, the user is a scammer and is going to make up some story about being a real person doing something weird. Every scammer has their very own pool of man-hours, and if you're in the critical path for their scam, they can burn a number of those man-hours being really insistent that they're authentic. Until you let them in, and see that they immediately start up the same dumb phishing-scam bot script that all the other scammers purchased.