By Cybersecurity researchers and threat intelligence platforms have identified Proton66 OOO (AS198953), registered in the Russian Federation, as the top bulletproof hosting provider facilitating cybercrime in 2024. According to reports from abuse.ch, based in Zürich, Switzerland, Proton66 OOO hosted 4,681 malware distribution websites last year.
Another bulletproof network, ELITETEAM (AS51381), registered in Seychelles but operated from Russia, ranked second with 944 malware sites. Both providers are notorious for ignoring abuse reports from Spamhaus and other legitimate organizations, and receive their upstream connectivity from Russian network operators.
Malicious Activities Hosted on Proton66 OOO (AS198953)
A deeper investigation into Proton66 OOO (AS198953) revealed a variety of malicious activities. Multiple cybersecurity researchers on X.com reported phishing campaigns, Lumma Stealer C2 servers, and ransomware operations linked to this network.
The following IP prefixes have been associated with Proton66 OOO (AS198953) and their respective malicious activities:
| IP prefix | ISP | Malicious activity |
| 45.134.26.0/24 | Proton66 LLC | Phishing; Illicit pharma |
| 45.135.232.0/24 | Proton66 LLC | Phishing; Ransomware; Malware; Illicit pharma; Online piracy |
| 45.140.17.0/24 | Proton66 LLC | Phishing; Malware; Online piracy |
| 91.212.166.0/24 | Next Limited, Hong Kong | Phishing; Malware |
| 193.143.1.0/24 | Proton66 OOO | Phishing; Malware |
Upstream Providers of Proton66 OOO (AS198953)
Proton66 OOO relies on the following upstream providers, which facilitate its network operations:
| ASN | Upstream Provider / Location | Contact |
| AS35598 | INETCOM CARRIER LLC, Russia | abuse131@inetcom.ru |
| AS201706 | SERVICEPIPE LLC, Russia | tech-support@servicepipe.ru |
| AS31027 | GlobalConnect A/S, Denmark | abuse@globalconnect.dk |
| AS8708 | DIGI ROMANIA S.A., Romania | abuse@rcs-rds.ro |
Peering IPv4 companies of Proton66 OOO (AS198953)
Proton66 OOO relies on the following peering companies.
| ASN | Peering Company / Location | Contact |
| AS35598 | INETCOM CARRIER LLC, Russia | abuse131@inetcom.ru |
| AS201706 | SERVICEPIPE LLC, Russia | tech-support@servicepipe.ru |
| AS31027 | GlobalConnect A/S, Denmark | abuse@globalconnect.dk |
| AS8708 | DIGI ROMANIA S.A., Romania | abuse@rcs-rds.ro |
| AS18106 | Viewqwest Pte Ltd, Singapore | abuse@viewqwest.com |
| AS39351 | 31173 Services AB, Sweden | abuse@31173.se |
| AS199524 | G-Core Labs S.A., Luxembourg | abuse@gcore.lu |
| AS49544 | i3D.net B.V, Netherlands | abuse@i3d.net |
| AS48314 | Michael Sebastian Schinzel trading as IP-Projects GmbH & Co. KG, Germany | abuse@ip-projects.de |
| AS14907 | Wikimedia Foundation Inc, United States | abuse@wikimedia.org |
| AS55818 | MC-IX Matrix Internet Exchange RS-1, Indonesia | abuse@nap.net.id |
Who is Behind Proton66 OOO (AS198953)?
Proton66 OOO (AS198953) is officially registered in St. Petersburg, Russia, with the following details from RIPE and business registries:
- Emails: mail@proton66.ru; abuse@proton66.ru
- Phone: +7-9995285271 (St. Petersburg area code)
- Address: District No. 54, Iskrovsky PR-KT, D. 21, LIT. U, kv.218, St. Petersburg, Russia, 193230
- Date of Registration: 20th February 2023
- OGRN: 1237800020402
- TIN: 7811785296
- Authorized Capital: 10,000 RUB
- Main Activity: Consulting in computer technologies (62.02)
- Director: Gomonov Dmitry Anatolyevich (Гомонов Дмитрий Анатольевич, TIN 780533409703)
- Additional Email: protonplus2@yandex.ru
Gomonov Dmitry Anatolyevich – A Fugitive with Criminal Ties
The director of Proton66 OOO, Gomonov Dmitry Anatolyevich (49 years old), has a history of financial trouble and legal issues:
- In 2020, he was identified with debts totaling 95,345 RUB (~1,047 USD).
- Between 2018-2019, he was a wanted fugitive, sought by the Main Directorate of the Ministry of Internal Affairs for St. Petersburg and Leningrad Oblast.
- His phone number +79992403654 (St. Petersburg) was traced to suspicious contacts, including:
- Dmitry Baturin Valerievich (+79262858857; 52 years old; previously identified in Chelyabinsk).
- Ahmatkulov Altynbek (+79267368095; 36 years old; originally from Kyrgyzstan, residing in Moscow).
Next Steps
In light of these findings, we will be reaching out to the upstream providers and peering companies of Proton66 OOO to disrupt their malicious activities.
Stay tuned for further updates on this ongoing investigation and disruption campaign.
