By Bearhost — one of the largest bulletproof hosting providers, also known as UNDERGROUND and VOODOO SERVERS — pulled off an exit scam in early May 2025, marking the end of its nine-year operation. A screenshot of a related message—originally posted by X.com user @club31337—was shared on Exploit[.]in by the user voodoo_servers (ID: 150104).
In this investigation, we combined the expertise of our offshore investigators with OSINT techniques and blockchain analysis to identify the operators behind Bearhost, map their extended network, and expose their illicit clientele.
Bearhost maintained an active presence on underground forums such as Exploit[.]in, carder[.]market, and breachforums[.]st, and was notably active on Telegram. Their Telegram footprint was documented in a November 2023 article by @joshuapenny88 on Medium. A screenshot of Bearhost-associated Telegram accounts, as captured in that report, is included below.
In November 2023, Medium user @joshuapenny88 conducted an investigation into the bulletproof hosting provider Chang Way Technologies Co. Limited (Registration No. 72251304), a company incorporated in Hong Kong on 23 September 2020. Below is a screenshot of the company’s registration record as listed in the Hong Kong Companies Registry.
Medium user @joshuapenny88 uncovered that Chang Way Technologies Co. Limited, operating under ASN AS57523, was linked to 3,328 unique IPv4 addresses, primarily distributed across Saint Petersburg and Moscow, with a smaller subset located in Hong Kong.
Additionally, the company was associated with the domain changway.hk, registered using the email bernard.webmail@gmail.com and the registrant name “Victor Zaycev”. Zaycev was also found to be connected to another Hong Kong-based entity, Cat Technologies Co. Limited (Registration No. 73819094), registered at the same physical address.
Further investigation by @joshuapenny88, using historical DNS records, revealed another email—processor.webmail@gmail.com—listed as the SOA RNAME for changway.hk.
Using Osint.Industries, we determined that processor.webmail@gmail.com was used to register accounts on the following platforms:
| Platform | Username / ID | Notes |
| 116053294777095834771 | N/A | |
| Chess.com | G00DM4N13 / 199988697 | Registered: 3 October 2022 Name: Lenar Davletshin Location: Bangkok, Thailand Premium account |
| N/A | N/A | |
| Adobe | N/A | N/A |
| DigitalOcean (cloud) | N/A | N/A |
| Apple | N/A | Phone Hint: * (***) ***-**-91 |
| Samsung | N/A | +798**06**91 |
Company Registration Records – Hong Kong, Russia, Cyprus
We conducted a deeper review of the company registration records for the two Hong Kong entities previously identified: Chang Way Technologies Co. Limited (Registration No. 72251304) and Cat Technologies Co. Limited (Registration No. 73819094). The filings revealed that both companies list a Russian national, Lenar Davletshin, as their shareholder and director. Relevant screenshots of the registration documents are provided below.
We conducted additional searches for Lenar Davletshin in the Russian company registry. The companies linked to him are listed in the table below.
| Company Name | Registration Records / Date | Notes |
| Davletshin Lenar Igorevich [ДАВЛЕТШИН ЛЕНАР ИГОРЕВИЧ] | INN: 500516641210 Registered: 8 May 2014 Status: Active | |
| Red Byte [ООО “КРАСНЫЙ БАЙТ”] | INN: 7814769133 OGRN: 1197847233154 Registered: 26 November 2019 Location: Saint Petersburg Main activity: Communication activities based on wired technologies Status: Active | For 2023, the company’s loss amounted to 72,972 thousand rubles ($885 USD as of 10 May 2025) |
| INFORMATION TECHNOLOGIES (IT) [ООО “ИТ”] | INN: 7840072571 OGRN: 1177847370788 Registered: 16 November 2017 Location: Saint Petersburg Main activity: Consulting activities and work in the field of computer technology Status: Inactive since 20 January 2023 (excluded from the Unified State Register of Legal Entities due to inaccuracy records) | |
| HOSTWAY [ООО “ХОСТВЭЙ”] | INN: 7802698897 OGRN: 1197847226829 Registered: 18 November 2019 Location: Saint Petersburg Main activity: Communications based on wired technologies Status: Inactive since 20 January 2023 (excluded from the Unified State Register of Legal Entities due to inaccuracy records) | |
| HOSTWAY RUS [ООО “ХОСТВЭЙ РУС”] | INN: 7810900115 OGRN: 1207800095744 Registered: 4 August 2020 Location: Saint Petersburg Main activity: Communications based on wired technologies Status: Inactive since 31 March 2022 | |
| TRIOSTARS [ООО “ТРИОСТАРС”] | INN: 7730702929 OGRN: 1147746236010 Registered: 7 March 2014 Location: Moscow Main activity: retail trade, carried out directly with the help of the information and communication network Internet Status: Inactive since 19 September 2016 | The company was headed by DAVLETSHINA ALMIRА VENEROVNA (INN: 164901748826); DAVLETSHIN LENAR IGOREVICH was co-founder. |
| “F1” [ООО “Ф1”] | INN: 9724052144 OGRN: 1217700302775 Registered: 24 June 2021 Location: Moscow Main activity: repair of computers and peripheral computer equipment Status: Inactive since 13 June 2024 | For 2023, the company’s loss amounted to 2 thousand rubles. DAVLETSHIN LENAR IGOREVICH was co-founder. BOBKOVA TATYANA VIKTOROVNA (INN: 773104002072) was General Director. |
Davletshin Lenar Igorevich was also found to be connected to an active company registered in Nicosia, Cyprus — STARCRECIUM LIMITED (Registration No. HE410784), incorporated on 6 July 2020. The company is managed by Svilen Spasov (Director; associated with approximately 121 other entities), while Emil Tsunizhov serves as Secretary (linked to approximately 32 other companies). STARCRECIUM LIMITED has also been associated with hostway.ru, as illustrated in the screenshot below.
Two historical IP subnets — 45.146.166.0/23 and 152.89.198.0/24 — were linked to STARCRECIUM LIMITED based on a May 2021 post titled “To the Asshole in Cyprus Attacking the MV Server”.
Further evidence of a connection between Chang Way Technologies Co. Limited and STARCRECIUM LIMITED was detailed in an August 2022 article titled “Analyzing Attack Data and Trends Targeting Ukrainian Domains”. The report highlighted IP address 152.89.196.102, previously geolocated in Russia and part of an ASN registered to Chang Way but assigned to Starcrecium. According to the article, this IP was blocked 78,438 times on .ua domains and was responsible for a total of 3,803,734 blocked attack attempts globally.
changway.hk – Insights from Breach Data Analysis
We conducted additional searches for the domain changway.hk across various breach datasets to gather more information. The relevant record is displayed in the table below.
| Breach Dataset | Details |
| WineStyle.ru, October 2024 (the database of the largest Russian wine retailer) | Email: dl@changway.hk Phone: 798******91 IP addresses: 185.81.68.149 (Chang Way Technologies Co. Limited; geolocated in St. Petersburg, Russia) 91.197.11.222 (GP Internet Ltd; geolocated in Moscow) Name: Davletshin |
A reverse phone number lookup for 798******91 conducted through Osint.Industries revealed the following online accounts.
| Platform | Username / ID | Notes |
| N/A | N/A | |
| Telegram | Voodooserv / 6798641294 | Name: VOODOO Last Seen: 2025-04-30T07:31:36+00:00 |
| Yandex | N/A | N/A |
| N/A | N/A | |
| VIEWCALLER | Name: Ленар Давлетшин [Lenar Davletshin] | |
| Microsoft | B025C7302134E7CB | Name: Lenar Davletshin Location: Russia Email: ecocor@yandex.ru Last Seen: 2025-04-09T05:15:55.740000+00:00 |
| Apple | N/A | Email: ecocor@yandex.ru |
The phone number 798******91 was also associated with the Telegram channel tunast0ck, which offers bulletproof servers. It is connected to tunastock (ID: 358642344) and @Insidder_Incc (ID: 5775809485).
Building on the Telegram accounts previously linked to Bearhost, as identified by @joshuapenny88 in his Medium article, we conducted additional searches to map the current active Telegram accounts associated with Bearhost. A summary of the findings is provided in the table below.
| Platform / Type | Username / ID | Notes |
| Telegram, channel | @dear31337 / -1001307148482 | Display Name: @bear31337 BEARHOST 771 subscribers Admin: @bear31337 (t.me/HitSeller) Jabber: bearhost@exploit.im |
| Telegram, username | @bear31337 / 5391735940 | Display Name: BEAR SERVERS |
| Telegram, username | @HitSeller / 1022584088 | Display Name: 🏴☠️Bear Host |
| Telegram, channel | @beor31337 / -1001978851488 | Display Name: bear31337 ✴️ 15 subscribers Seller: @ricco_sups (ID: 5858167344) |
| Telegram, username | @bearhost / 800399696 | Display Name: BEAR HOST |
| Telegram, username | @bearhosting / 6274839068 | Display Name: BEAR HOST |
| Telegram, channel | @underground81337 / -1001416509206 | Display Name: Bulletproof servers [ @underground31337] 318 subscribers |
| Telegram, channel | @underground313370 / -1001673616819 | 11 subscribers Seller: @sellergods (Display Name: Trofim) |
| Telegram, username | @underground31337 / 2028655744 | Display Name: John Smith |
| Telegram, username | @underground313371 / 5133937618 | Display Name: @underground31337 |
| Telegram, channel | @underground313377 / -1001536088771 | Display Name: @underground31337 72 subscribers |
| Telegram, channel | @underground31337_info / -1001716719566 | Display Name: @underground31337 2,058 subscribers |
| Telegram, channel | @Bear31137 / -1001686487199 | Display Name: Bear31337 [SERVERS] 1,386 subscribers Admin:@Bear31337 (t.me/Subadm1) |
| Telegram, channel | @bear31337_official / -1001558020440 | Display Name: bear31337 2,792 subscribers |
| Telegram, username | @billing31337 / 6009237494 | Display Name: UNDERGROUND SERVERS |
Domain and IP Infrastructure
Through Fofa.info and Shodan.io, we mapped the domain and IP infrastructure associated with Bearhost. The favicon hash 931731413 was found to be linked to Bearhost’s websites. A search using this hash revealed the domains, servers, and infrastructure providers listed below.
| Domain | Server / Geolocation | Infrastructure Provider / Details |
| N/A | 193.201.9.152, Russia | OOO Selectel (AS49505) Certificate Issuer: Hostway Country: Russia CommonName: 192.168.200.151 Email Address: webmaster@hostway.ru Header: X-Powered-By: PHP/8.3.1 |
| N/A | 193.201.9.153, Russia | Title: UNDERGROUND/BEARHOST OOO Selectel (AS49505) Certificate CommonName: billing.hostway.ru Header: Vary: X-Inertia X-Powered-By: PHP/8.3.3 |
| 31337.ru | 172.67.69.209, United States | Title: UNDERGROUND/BEARHOST Cloudflare Inc (AS13335) Certificate CommonName: 31337.ru Header: Vary: X-Inertia X-Powered-By: PHP/8.3.3 |
Three more domains were uncovered during the OSINT investigation.
| Domain | Server / Geolocation | Infrastructure Provider / Details |
| changway.hk | Last IP: 92.255.85.113 , Hong Kong (hostway.ru was hosted on the same IP address in the past) | Chang Way Technologies Co. Limited
|
| 31337.hk | Last IP: 172.67.181.146, United States (Historic IP: 185.11.61.251, Hong Kong) | Cloudflare Inc (AS13335) The domain 31337.hk previously hosted the subdomain bearhost.31337.hk, which also appeared as the Common Name in historical SSL certificates |
| hostway.ru | Last IP: 185.215.113.104, Seychelles (Historically hosted on IP: 176.113.115.5, Hong Kong; hosting provider, Cat Technologies Co. Limited) | 1337Team Limited (ELITETEAM) – bulletproof hosting provider operated from Russia |
Notably, 31337.ru was previously hosted on the IP address 185.11.61.251, geolocated in Russia, and was linked to STARCRECIUM LIMITED. Additionally, Cat Technologies Co. Limited was found to be associated with the email/domain abuse@starcrecium.com, as indicated in the registration records for AS57678 (Cat Technologies) displayed in the RIPE Database.
Using Shodan.io, we mapped the IP servers associated with Chang Way Technologies Co. Limited. As of 10 May 2025, 1,016 servers were identified as being geolocated in Russia. A screenshot of the findings is provided below.
A similar search was conducted for Cat Technologies Co. Limited, revealing 44 servers geolocated in Russia as of 10 May 2025. CrdPro (CrdPro.link), a credit card-selling forum, was identified as one of their customers.
Using the Hurricane Electric BGP tool, it was found that as of 10 May 2025, all IPv4 prefixes linked to AS57523 (Chang Way Technologies Co. Limited) were down. Two prefixes, 80.64.30.0/24 and 185.42.12.0/24, were connected to Horizon LLC, which is geolocated in the UAE, possibly indicating the current location of the operator or their associates. The only peer IPv4 company identified was Global Network Management Inc (AS31500; trade name “GNM Inc”), registered in Antigua and Barbuda and managed by Vladimir V. Vedeneev from the Netherlands. GNM Inc. is a backbone network operator.
Horizon LLC is located in Moscow, Russia, with Evgeniy Atnalin listed as the admin in RIPE records. Further investigation in the Russian company registry uncovered OOO “HORIZONT” [ООО “ГОРИЗОНТ”; INN: 9704085529; OGRN: 1217700401236], a company previously managed by Evgeniy Valerievich Atnalin (INN: 595702205104; not a professional income taxpayer as of 22 January 2025). This company, which was registered on 26 August 2021, and de-registered on 18 December 2024, primarily engaged in wholesale trade of timber, building materials, and sanitary equipment.
Regarding Cat Technologies Co. Limited (AS57678), the Hurricane Electric BGP tool showed that the ASN has been absent from the global routing table since 29 April 2025. The only identified peer IPv4 company is iHome LLC (AS25478), based in Moscow, Russia.
Bearhost’s Customers via Domain/IP Infrastructure
In his Medium article, @joshuapenny88 has associated Chang Way Technologies Co. Limited with the malicious activities listed in the below screenshot.
In the article “Proton66 Part 2: Compromised WordPress Pages and Malware Campaigns”, Trustwave identified a connection between Proton66 (AS198953) and Chang Way Technologies through shared IP addresses involved in phishing and malware activities. Trustwave detailed various malware campaigns associated with Proton66, including compromised WordPress sites redirecting Android users to fake Google Play stores, an XWorm campaign targeting Korean-speaking chat room users, and the WeaXor Ransomware.
In February 2025, KrebsOnSecurity published an article titled “Notorious Malware, Spam Host ‘Prospero’ Moves to Kaspersky Lab”, in which they noted that in 2024, the French security firm Intrinsec reported a link between PROSPERO (AS200593) and Proton66 (AS198953) to bulletproof hosting services promoted on Russian underground forums under the names Securehost, UNDERGROUND, and BEARHOST.
Intrinsec’s analysis revealed that Prospero frequently hosted malware operations, including SocGholish and GootLoader. Other examples of malicious activity linked to PROSPERO (AS200593) and Proton66 (AS198953) include ransomware groups (e.g., SuperBlack) and infostealers (e.g., Strela Stealer, Lumma Stealer).
Notably, Proton66 (AS198953) is associated with the IPv4 prefix 91.212.166.0/24, which is linked to Next Limited (Registration no. 76321783), a company registered in Hong Kong on 15 March 2024. The company became dormant on 11 April 2024. Next Limited is registered at Room 1405, 135 Bonham Strand Trade Centre, 135 Bonham Strand, Sheung Wan, Hong Kong.
The company is managed by Fedor Berg (a Kyrgyzstani national) and Ilya Pojarkow. Next Limited was identified with ASN 50159, which has not been visible in the global routing table since 23 November 2023.
Fedor Berg also serves as the director of another company, Address Limited (registration number: 77270008), registered on 4 November 2024. Address Limited was found to be associated with the website addressn.com. Previously, Address Limited was linked to three ASNs: 62300 (currently associated with Intercom LLC), 61048 (currently linked to InfoLink LLC), and 50308 (currently connected to Mosnet LLC).
Blockchain Analytics via AMLBot – Insights into Illicit Transactions
Using AMLBot.com, we investigated Bitcoin addresses linked to Bearhost, revealing valuable insights into the associated illicit entities through incoming illicit transactions.
The first BTC cluster revealed the following relevant incoming illicit transactions, listed from the highest to lowest BTC amount.
| Incoming Source | Category | Amount (BTC) |
| FTX Thief 2022 | Stolen coins | 0.05458228 |
| Ripple Co-Founder Thief 2024 | Stolen coins | 0.02757337 |
| Change Healthcare Ransom | Ransom | 0.02458511 |
| Hydra Marketplace | Dark market; sanctions | 0.01355092 |
| Incognito Market | Dark market | 0.04283006 |
| WeTheNorth | Dark market | 0.00956383 |
| Black Sprut | Dark market | 0.00698933 |
| Legit Western Union Hack and Bank Transfer | Dark market | 0.00616197 |
| SafelyChange (prev. NetEx24.net) | Sanctions | 0.00571469 |
| SamSam (Samas) | Ransom | 0.00534926 |
| MEGA DARKNET MARKET | Dark market | 0.00486688 |
| Samourai Wallet | Enforcement action | 0.00471056 |
| ASAP Market | Dark market | 0.00381819 |
| OMG!OMG! | Dark market | 0.00115408 |
| InfoDig | Dark market | 0.00007119 |
The second BTC cluster uncovered the following relevant incoming illicit transactions, ranked from highest to lowest BTC amount.
| Incoming Source | Category | Amount (BTC) |
| Potential BTCTurk Thief 2024 | Stolen coins | 0.03126843 |
| MEGA DARKNET MARKET | Dark market | 0.029671 |
| InfoDig | Dark market | 0.01710825 |
| Genesis Marketplace | Sanctions | 0.01575969 |
| Kraken Darknet | Dark market | 0.01572785 |
| OMG!OMG! | Dark market | 0.01020887 |
| Black Sprut | Dark market | 0.01007156 |
| Ripple Co-Founder Thief 2024 | Stolen coins | 0.00580702 |
| Bybit Thief 2025 | Stolen coins | 0.00559741 |
| DMM Bitcoin Thief 2024 | Stolen coins | 0.00459929 |
| Lazarus Group | Sanctions | 0.00454 |
| Legit Western Union Hack and Bank Transfer | Dark market | 0.0049818 |
| Garantex | Sanctions | 0.00484315 |
| Stake Thief 2023 | Stolen coins | 0.00241701 |
| eXch Exchange | Illegal service; enforcement action | 0.00278784 |
| FTX Thief 2022 | Stolen coins | 0.00146631 |
| Verifpro fake ids | Dark market | 0.00078313 |
| Solaris | Dark market | 0.00014799 |
| OFAC: ZSERVERS | Sanctions | 0.00005306 |
| OnionLABS Botnet Service | Dark market | 0.00002697 |
The third BTC cluster uncovered the following relevant incoming illicit transactions, listed from highest to lowest BTC amount.
| Incoming Source | Category | Amount (BTC) |
| Genesis Marketplace | Sanctions | 1.69974947 |
| Garantex | Sanctions | 0.4694078 |
| Black Sprut | Dark market | 0.21621169 |
| Russian Anonymous Marketplace | Dark market | 0.09242346 |
| MEGA DARKNET MARKET | Dark market | 0.09159432 |
| Tejodes | Ransom | 0.07937664 |
| Abraxas | Dark market | 0.05056351 |
| Hydra Marketplace | Dark Market; Sanctions | 0.0403249 |
| MedusaLocker | Ransom | 0.03593824 |
| LockBit 2.0 | Ransom | 0.03559414 |
| Kraken Darknet | Dark market | 0.03480828 |
| ASAP Market | Dark market | 0.03285443 |
| OMG!OMG! | Dark market | 0.03112564 |
| InfoDig | Dark market | 0.02992 |
| Abacus Market | Dark market | 0.02102798 |
| UniCCShop | Dark service | 0.0195082 |
| Conti | Ransom | 0.01492756 |
| Incognito Market | Dark market | 0.00684457 |
| coinbase-drop.com | Scam | 0.00617168 |
| Makop | Ransom | 0.00218484 |
| Eternity | Dark market | 0.00036872 |
| Nobitex | Sanctions | 0.00002348 |
Predictive Insights – Beyond the Exit Scam
Following Bearhost’s exit scam, it is highly probable that the malicious activities previously conducted within their network will shift towards PROSPERO (AS200593) and Proton66 (AS198953), as well as the Hong Kong-based entities, Next Limited and/or Address Limited.
Moving forward, our efforts will be focused on monitoring these bulletproof hosting providers and tracking any emerging illicit entities that could arise from this shift.
