Friday, 4 April 2025

Brand Monitoring Data-Niblet #1: Bybit

Following the theft of $1.4 billion in cryptocurrency from Dubai-based exchange Bybit (Figure 1) on 21 February 2025[1], the organisation found itself targeted by a range of phishing attacks, as reported by security vendor BforeAI. The campaign(s) included efforts to acquire customer credentials and steal further currency - in some cases under the guide of offering support, guidance or fund recovery - using techniques including domain- and subdomain-based brand impersonations incorporating typo-variants and the use of a range of issue- and industry-specific keywords such as 'refund', 'wallet', 'information', 'check', 'recovery', 'metaconnect', 'mining' and 'airdrop'[2].

Figure 1: The official Bybit website (bybit[.]com), as of 04-Apr-2025

As of the start of April 2025, gTLD zone-file analysis reveals the existence of over 2,000 domains containing 'bybit', of which 1,044 contain 'bybit' at the start, or feature the brand name together with any of the high-relevance keywords listed above.

Of these 1,044 domains, only 21 appear to be under the control of the official Bybit organisation (based on the citation of their official domain registrar in the whois record, where information is available via an automated look-up).

Domain registration dates are available for 796 of the third-party domains, of which 160 (20.1%) have been registered since the date of the initial theft (Figure 2), including (for example) refund-bybit[.]com, bybitclaims[.]com and bybithacked[.]com, all registered on the day of the attack.

Figure 2: Daily numbers of registrations of high-relevance 'bybit' domain names, since the start of 2024

36 of those domains definitively registered since the date of the initial theft produce some sort of live website response as of the date of analysis (04-Apr-2025), including 16 domains explicitly resolving to active content of concern (Figure 3).

Figure 3: Examples of high-threat Bybit impersonation domains registered since the date of the initial attack against the platform: bybitbot[.]net, bybitge[.]top, bybitplan[.]com (plus an additional ten 'mirror' domains with names of the form bybitXXX[.]com), bybittpay[.]xyz, bybit-register[.]top, bybitcn[.]com

Amongst the older high-risk third-party registrations, a further 318 resolve to some sort of active webpage, of which 61 explicitly include the term 'login' somewhere in the page content or source-code. This dataset includes a number of additional examples of active websites of concern, including the examples shown in Figure 4.

(a)

(b)

(c)

Figure 4: Other examples of high-threat websites hosted on 'bybit' domains:

a) Log-in pages: bybitearn[.]site; bybit-cfd[.]com; bybitut[.]com

b) Other brand impersonation sites: bybit-tr[.]com; bybitcryptostoragewallet[.]com; bybitcoop[.]com; bybit[.]casa; bybitoption[.]com; bybit-tradefunds[.]com

c) Other misdirection (promotion of gambling-related content): bybitgame[.]com

References

[1] https://www.infosecurity-magazine.com/news/bybit-140m-bounty-recover-mega/

[2] https://www.infosecurity-magazine.com/news/over-500-phishing-domains-bybit/

This article was first published on 4 April 2025 at:

https://www.linkedin.com/pulse/brand-monitoring-data-niblet-1-bybit-david-barnett-aqjic/

'Notorious hosting providers': an overview of the highest-threat hosts from IP-address blacklist analysis

Introduction

One major element of many brand-protection programmes is the use of an algorithm to sort the findings identified through monitoring, according to their relevance or level of potential threat. This prioritisation process offers a number of benefits, including the identification of priority targets for further analysis, content tracking, or enforcement[1,2].

In many cases, prioritisation or 'threat-scoring' metrics of this nature will make use of a number of characteristics of the identified websites in question, each of which independently can provide insights of the potential level of threat. These insights are usually based on research into the previous frequency of association of the relevant characteristics with content found to be fraudulent, malicious or infringing. Familiar examples of such characteristics might include the TLD (top-level domain, or domain extension) - with some TLDs found to be disproportionately popular with infringers, based on factors such as domain cost and registration requirements, or the nature of any IP protection programmes offered by the registries[3] - or the domain registrar (with infringement rates typically found to be dependent on factors such as compliance to enforcement requests) - as per (for example) the registrar 'bad reputation' league table published by Spamhaus[4].

In this article, I consider the hosting characteristics of websites as an indicator of potential threat level, following on from a previous study[5] looking at the set of (IPv4) IP addresses blacklisted in response to identified use for specific infringing purposes (such as spamming and malware distribution), in a database provided by Myip.ms[6] (as of January 2025). This previous study explored the creation of a threat-scoring algorithm based on (among other factors) the proximity of the host IP address of a website of interest to other blacklisted IP addresses. Specifically, an IP address was deemed to be of higher risk if it sat in a netblock together with a higher number of blacklisted addresses.

A by-product of this previous analysis was the construction of a table showing those hosting providers which were most frequently found to be associated with blacklisted IP addresses (a list topped by Amazon Technologies Inc. (14,030 blacklisted addresses, out of the full dataset of 169,023), ChinaNet Jiangsu Province Network (7,285), and Cloudflare (3,317)). However, this list does not provide the full picture, as it may simply be the case that the hosting providers associated with the highest number of blacklisted addresses are just the most popular hosting providers generally (in which case, the numbers of blacklisted addresses would not be disproportionate, implying that the hosting provider's reputation should not be considered to be adversely affected). In this follow-up, therefore, I consider the 'rates' of blacklisted IP addresses per hosting provider, by expressing the raw numbers as proportions of the total numbers of IP addresses (actually, an estimate, based on a sampling exercise) with which the providers are associated.

Methodology and analysis

In order to obtain an estimate of the total extent of online presence of each hosting provider, it would ideally be necessary to carry out a host look-up for every IP address in IP-space (from 0.0.0.0 to 255.255.255.255 - i.e. 2564 (4.3 billion) in total). However, in order to limit the number of look-ups required, a sampling approach was instead used, in which the analysis considered only four equally-spaced IP addresses within each second-level netblock (i.e. 0.0.0.0, 0.0.64.0, 0.0.128.0, 0.0.192.0, 0.1.0.0, 0.1.64.0, etc.). The idea is that this approach should provide a representative sampling of IP-space, and furthermore is reasonable (to some extent) by virtue of the fact that many hosting providers (particularly the major players) will operate large, continuous blocks of IP addresses (such that the sampling exercise will provide a reasonable overview of the activity breakdown).

By way of additional notes:

  • Of the 262,144 IP addresses considered, the automated look-ups were unsuccessful in 97,114 cases (37% of the total), comprising a mix of cases where the IP addresses themselves are invalid, or other instances where the look-up was found to time-out or fail. Note that this issue may skew the statistics, if certain regions or hosting providers tend to be disproportionately associated with failed look-ups.
  • In the latter stage of analysis, the name of the hosting provider (as given by the look-up) was - as in the previous study - 'cleaned' by truncating at the first instance of a comma (so that, for example, 'China Mobile Communications Corporation, Mobile Communications Network Operator in China, Internet Service Provider in China' is converted to 'China Mobile Communications Corporation'), which will in many cases produce a more reasonable aggregated dataset, but will also generate some 'false positives' (such as hosting providers listed just as (say) 'Headquarters' or 'ZA'), or instances where distinct entities are erroneously aggregated together, such that the final datasets may require some ‘sanity-checking’ and further cleansing. This approach may also generate cases where distinct instances of the 'same' entity are treated separately (e.g. 'Amazon.com' and 'Amazon Technologies Inc.').

From the initial stage of analysis, the top hosting providers generally appearing most commonly in the sampled dataset (i.e. by total numbers) are as shown in Table 1.

Hosting provider
                                                                           
No. IP addresses
                                
  DoD Network Information Center 13,551
  AT&T Enterprises, LLC 6,384
  Verizon Business 5,563
  Amazon.com, Inc. 5,197
  Amazon Technologies Inc. 4,714
  Comcast Cable Communications, LLC 4,279
  Headquarters, USAISC 3,334
  Microsoft Corporation 2,802
  Korea Telecom 2,691
  Charter Communications Inc 2,257

Table 1: Top ten hosting providers ('uncleaned' names) associated with the sampled set of addresses across IP-space

For the main stage of analysis, a 'bad reputation' or 'threat' score was calculated for each of the hosting providers, by dividing the total number of blacklisted IP addresses under their control (from the previous study) by the total number of (sampled) IP addresses under their control (according to the approach outlined in this study), to give an 'blacklist rate' score. From this approach, the top ten highest-threat hosting providers are given in Table 2 (with the full list of all hosting providers assigned a blacklist rate score of 10.00 or greater shown in Appendix A).

Hosting provider
                                                                           
Blacklist rate
                                
  Huawei HongKong Clouds 512.67
  Ahrefs Pte Ltd 462.00
  Yandex enterprise network 382.00
  Huawei-Cloud-SG 280.67
  Bangladesh Telegraph & Telephone Board 280.00
  Netprotect 270.00
  Strong Technology 189.00
  geofeed (GitHub: Simonadascalu/Freedomtech-Geofeed) 116.00
  LogicWeb Inc. 112.00
  Huawei Cloud Singapore POP 95.00

Table 2: Top ten 'highest threat' hosting providers, by 'blacklist rate' score

These results exhibit some parallels with other similar analyses with, for example, three of the top ten also appearing in Scamalytics' list of top 'high-risk ISPs' which achieve risk scores of greater than 52 (out of 100)[7] (namely: geofeed, score = 62; Strong Technology, score = 60; LogicWeb Inc., score = 56).

It is also noteworthy that some other fairly well-known providers do achieve relatively high blacklist rate scores in this new analysis, including Namecheap (rate = 52.00), Cloudflare (rate = 30.43) and OVH SAS (rate = 20.00). Furthermore, of the top 50 most commonly-appearing (i.e. most popular) hosting providers overall amongst the full sampled set of IP addresses, two (ChinaNet Jiangsu Province Network, rate = 10.95; Amazon Technologies Inc., rate = 2.98) have blacklist rate scores greater than 1.

Conclusion

The analysis reveals the identities of those hosting providers which are disproportionately most frequently associated with blacklisted IP addresses - and, by extension, those which may be most popular with bad actors for hosting infringing or malicious content. Accordingly, the determination that any of these highest-threat hosting providers is associated with any arbitrary identified website therefore provides some indication that - all other factors being equal - the website might be more likely to pose a threat, and thereby be worthy of closer attention.

On this basis, the 'blacklist rate' scores for the hosting providers (or some variant of it) could serve as a useful component of an overall threat score for ranking websites. This concept may be useful in the prioritisation of findings identified through brand-monitoring services.

Going forward, more robust future augmentations to this approach could utilise a more intensive analysis (i.e. a less 'coarse' sampling) of the full set addresses in IP address space, additional blacklist or threat information, or could be applied to alternative characteristics, such as geographical hosting location (i.e. countries or cities, using geolocation data).

Appendix A: Highest-threat hosting providers by 'blacklist rate' score

Hosting provider
                                                                                                
No. blacklisted IP addresses
                                
No. IP addresses
in sample of total
                                
Blacklist rate
                                
  Huawei HongKong Clouds 1,538 3 512.67
  Ahrefs Pte Ltd 462 1 462.00
  Yandex enterprise network 382 1 382.00
  Huawei-Cloud-SG 2,526 9 280.67
  Bangladesh Telegraph & Telephone Board 280 1 280.00
  Netprotect 540 2 270.00
  Strong Technology 567 3 189.00
  geofeed https://raw.githubusercontent.com/
  Simonadascalu/Freedomtech-Geofeed/refs/heads/
  main/Freedomtech%20solutions%20-%20ALL
116 1 116.00
  LogicWeb Inc. 112 1 112.00
  Huawei Cloud Singapore POP 95 1 95.00
  Braveway LLC 187 2 93.50
  Telekom Srbija 217 3 72.33
  TOT Mobile Co LTD 245 4 61.25
  FranTech Solutions 349 6 58.17
  1222 Dial-up Free Internet Service 55 1 55.00
  Network Engineering (Mobile) - Reginal APN IP Lagos 53 1 53.00
  Namecheap 156 3 52.00
  Huawei Cloud SG POP 47 1 47.00
  PT iForte Global Internet 45 1 45.00
  Beijing Xiaoju Technology Co. 355 8 44.38
  EZECOM CO. 171 4 42.75
  BigTip 80 2 40.00
  Biznet Networks 271 7 38.71
  Cogetel Ltd 73 2 36.50
  Castle Global Inc. 36 1 36.00
  Performive LLC 232 7 33.14
  SINET 65 2 32.50
  Single Digits 32 1 32.00
  HostPapa 2,157 68 31.72
  CHINANET-ZJ Lishui node network 601 19 31.63
  Ishan Netsol Pvt Ltd 31 1 31.00
  MEGA-II IDC 31 1 31.00
  Cloudflare 3,317 109 30.43
  Cyber Internet Services Pakistan 60 2 30.00
  Multinet Pakistan Pvt. Ltd. 30 1 30.00
  Shinjiru Technology Sdn Bhd 30 1 30.00
  Amanah Tech Inc. 29 1 29.00
  VIETTEL (CAMBODIA) PTE 29 1 29.00
  ASSIGNED-FOR-IMS-IMPLEMENTATION 28 1 28.00
  B2 Net Solutions Inc. 278 10 27.80
  Contabo Inc. 55 2 27.50
  OCULUS NETWORKS INC 81 3 27.00
  Interserver 54 2 27.00
  Emerald Onion 27 1 27.00
  CHINANET-ZJ Quzhou node network 480 18 26.67
  Latitude.sh 26 1 26.00
  Secure Internet LLC 175 7 25.00
  ENTERPRISE 25 1 25.00
  MekongNet 49 2 24.50
  PT Jala Lintas Media 24 1 24.00
  Contabo GmbH 94 4 23.50
  BDCOM Online Limited 23 1 23.00
  velia.net 23 1 23.00
  DhakaCom Limited 45 2 22.50
  Web2Objects LLC 197 9 21.89
  Palestine Telecommunications Company (PALTEL) 65 3 21.67
  Telenor Pakistan (Pvt) Ltd 21 1 21.00
  GTPL Broadband Pvt. Ltd. 81 4 20.25
  OVH SAS 40 2 20.00
  LayerHost 20 1 20.00
  Dynamic allocation for Broadband Subscribers 39 2 19.50
  YOU Telecom India Pvt Ltd 155 8 19.38
  Contabo Asia Private Limited 19 1 19.00
  Earth Telecommunication(Pvt.)Ltd. 19 1 19.00
  Indusind Media And Communication Ltd. 19 1 19.00
  Mailgun Technologies Inc. 19 1 19.00
  TekTonic 19 1 19.00
  CTG Server Ltd. 111 6 18.50
  PT. Mora Telematika Indonesia 37 2 18.50
  UNICOM ZheJiang Province Network 576 32 18.00
  GRAMEEN CYBERNET 18 1 18.00
  PT ARTHA TELEKOMINDO 18 1 18.00
  Trans World Enterprise Services (Private) Limited 18 1 18.00
  World Phone Internet Services Pvt Ltd 18 1 18.00
  YISU CLOUD LTD 18 1 18.00
  USF DSLAM Central 69 4 17.25
  eSited Solutions 187 11 17.00
  J2 Global Ventures 34 2 17.00
  ZHENGZHOU guangdian COPR 34 2 17.00
  ACT Hyderabad 17 1 17.00
  Magnite 17 1 17.00
  MTNN-OJOTA-REGION-PREFIXES 17 1 17.00
  Scloud Pte Ltd t/a Scloud Pte Ltd 17 1 17.00
  ServerPoint.com 17 1 17.00
  Shiodome Sumitomo Blog 1-9-2 TOKYO 17 1 17.00
  SwiftMail Communications Limited 17 1 17.00
  Ucom CJSC 17 1 17.00
  Ultra Internet Communications LLC 17 1 17.00
  TOT Public Company Limited 473 28 16.89
  Digital Energy Technologies Limited 33 2 16.50
  PT. Media Antar Nusa 33 2 16.50
  China Unicom HuNan province network 258 16 16.13
  Colocation America Corporation 224 14 16.00
  PT Indonesia Comnets Plus 48 3 16.00
  US Net Incorporated 32 2 16.00
  Access Telecom (BD) Ltd 16 1 16.00
  Armour Cloud 16 1 16.00
  HostRoyale LLC 16 1 16.00
  N R DATA SERVICE PVT LTD 16 1 16.00
  Nanping MAN 16 1 16.00
  PT Mora Telematika Indonesia 16 1 16.00
  RAHA Ltd 16 1 16.00
  WIRELESS INDONESIA 16 1 16.00
  ADSL - DYNAMIC POOL 110 7 15.71
  Future Tech Distribution 47 3 15.67
  CMPak Limited 46 3 15.33
  CHINANET-ZJ Zhongxin node network 873 57 15.32
  Intelligence Network 60 4 15.00
  Fiber Grid Inc 15 1 15.00
  PT Hutchison 3 Indonesia 15 1 15.00
  PT. Cemerlang Multimedia 15 1 15.00
  PT. LINKNET 15 1 15.00
  Westendstrabe 28 15 1 15.00
  PT. MNC Kabel Mediacom 29 2 14.50
  DigitalOcean 2,329 164 14.20
  America-NET Ltda. 28 2 14.00
  Dynamic allocation for LTE customers 28 2 14.00
  HOSTKEY 14 1 14.00
  Leaseweb Asia Pacific Pte. Ltd. 14 1 14.00
  rain 139 10 13.90
  Chandigarh 122 9 13.56
  Static IP Addresses for Internet Services 27 2 13.50
  Centrilogic 53 4 13.25
  NEWTREND 53 4 13.25
  PT. Eka Mas Republik 26 2 13.00
  Sneaker Server 26 2 13.00
  Gigantic Infotel Pvt Ltd 13 1 13.00
  PT Net2Cyber Indonesia 13 1 13.00
  VIETTEL (CAMBODIA) PTE. 63 5 12.60
  WebNX 75 6 12.50
  Sharktech 87 7 12.43
  BNG_MED1_orange 24 2 12.00
  Wowrack.com 24 2 12.00
  InterCloud ltd 12 1 12.00
  Leaseweb Deutschland GmbH 12 1 12.00
  Maxis Broadband Sdn.Bhd 12 1 12.00
  Reserved-for-Enterprise-Internet-WAN 12 1 12.00
  Sipbound Corporation 12 1 12.00
  Krypt Technologies 235 20 11.75
  PT Telkom Indonesias customer. 23 2 11.50
  10 Fl. 72. CAT TELECOM TOWER Bangrak
  Bangkok Thailand
137 12 11.42
  Alibaba Cloud LLC 1,971 173 11.39
  CHINANET FUJIAN NETWORK 136 12 11.33
  GMO Internet Group 102 9 11.33
  UNE EPM TELECOMUNICACIONES S.A. 99 9 11.00
  LINKdotNET Telecom Limited 22 2 11.00
  Pakistan Mobile Communications Limited 22 2 11.00
  CABONNET INTERNET LTDA 11 1 11.00
  Mammoth Media Pty Ltd 11 1 11.00
  Myanma Post and Telecommunication 11 1 11.00
  POOL27 CONTEXT ORANGE BAS4 11 1 11.00
  SONATEL Societe Nationale Des Telecommunications
  Du Senegal
11 1 11.00
  Telekom Slovenije d.d. 11 1 11.00
  VPSONLINE Ltd 11 1 11.00
  CHINANET jiangsu province network 7,285 665 10.95
  SendGrid 97 9 10.78
  DataWagon LLC 21 2 10.50
  PT Remala Abadi 52 5 10.40
  Emeigh Investments LLC 61 6 10.17
  IONOS Inc. 81 8 10.13
  FLAT 301 20 2 10.00
  TYO_VULTR_CUST 20 2 10.00
  Automattic 10 1 10.00
  National Telecom Public Company Limited 7 Fl. 72. CAT
  TELECOM TOWER Bangrak Bangkok Thailand
10 1 10.00
  Neuviz (PT. Piranti Prestasi Informasi) 10 1 10.00
  Pacific Connect Private Limited 10 1 10.00
  PT Jembatan Citra Nusantara 10 1 10.00
  PT Telkom Satelit Indonesia 10 1 10.00
  PT. Comtronics Systems 10 1 10.00
  PT. KINEZ CREATIVE SOLUTIONS 10 1 10.00
  VIZAG BROADCASTING COMPANY PVT. LTD 10 1 10.00

References

[1] 'Patterns in Brand Monitoring' (D.N. Barnett, Business Expert Press, 2025), Chapter 5: 'Prioritisation criteria for specific types of content'

[2] 'Towards a generalised threat-scoring framework for prioritising results from brand monitoring programmes', [link TBC]

[3] https://circleid.com/posts/20230117-the-highest-threat-tlds-part-2

[4] https://www.spamhaus.org/reputation-statistics/registrars/domains/

[5] '"Notorious IP Addresses" and initial steps towards the formulation of an overall threat score for websites', Stobbs e-book [link TBC]

[6] https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time

[7] https://scamalytics.com/ip/isp

This article was first published on 3 April 2025 at:

https://circleid.com/posts/notorious-hosting-providers-an-overview-of-the-highest-threat-hosts-from-ip-address-blacklist-analysis

Brand Monitoring Data-Niblet #1: Bybit

Following the theft of $1.4 billion in cryptocurrency from Dubai-based exchange Bybit (Figure 1) on 21 February 2025 [1] , the organisation ...