DDoS-Guard

DDoS-Guard is a Russian Internet infrastructure company which provides DDoS protection and web hosting services. Researchers and journalists have alleged that many of DDoS-Guard's clients are engaged in criminal activity, and investigative reporter Brian Krebs reported in January 2021 that a "vast number" of the websites hosted by DDoS-Guard are "phishing sites and domains tied to cybercrime services or forums online". Some of DDoS-Guard's notable clients have included the Palestinian Islamic militant nationalist movement Hamas, American alt-tech social network Parler, and various groups associated with the Russian state.

Company
DDoS-Guard is based in Russia, as are most of its employees. The service has existed since 2011. The company was first registered in July 2014 in Sevastopol, by Evgeny Marchenko and Dmitry Sabitov, two Russians formerly from Ukraine. The company is incorporated in Scotland as Cognitive Cloud LP and in Belize as DDoS-Guard Corp. The company runs traffic filtering nodes on clusters located in Russia, Germany, the Netherlands, and Japan.

A company with the same name, owned by the same men, had previously existed in Ukraine since 2011, though spokespeople for the company have said this was only an early stage company created while the software was being developed. The spokespeople stated that DDoS-Guard has always been based in Russia, in Rostov-on-Don, although Meduza reported that the office in that city didn't open until 2015. Meduza reported that the company apparently relocated to Russia after Ukrainian national security and cyberpolice officers began investigations into the company due to its choice to host Verified, a forum notorious for platforming credit card scammers. DDoS-Guard has denied knowledge of the investigation.

In 2021, a researcher observed the DDoS-Guard appeared to have no physical presence in Belize and had likely incorporated there to gain access to IP addresses normally only allocated to local entities. Of more than 11,000 IP addresses assigned to DDoS-Guard's two subsidiaries, the researcher found two thirds had been provided to the Belizean company by LACNIC, the regional Internet registry responsible for Latin America and the Caribbean. DDoS-Guard has rebutted the allegations, and said they do have a presence in Belize. After the researcher reported DDoS-Guard to LACNIC, LACNIC announced they would revoke more than 8,000 IP addresses from the company.

On 1 June 2021, cyber-intelligence company Group-IB reported that they had found DDoS-Guard's database, containing site IP addresses, names, and payment information along with its full source code, for purchase on a cybercrime black market forum. The authenticity of the allegedly stolen data was unverified.

Clients
Meduza has reported that, according to a former employee, DDoS-Guard has a history of working with customers who operate on the darknet. The employee has said this is because they can charge higher rates to such customers, who have a much smaller range of choices of Internet service providers willing to work with them, and who often especially need website security services. Some of DDoS-Guard's other clients have included the Palestinian Islamic militant nationalist movement Hamas, the cyberstalking site Kiwi Farms, and the imageboard 8kun, formerly known as 8chan, which is the online home of the American far-right QAnon conspiracy theory. *
 * The company said they ended services for both Hamas and 8chan after learning about the content on the sites from news sources. DDoS-Guard has ended services for various clients after being informed of their activities by journalists, but Meduza wrote that the company would likely need to deny services for a large portion of its client base if they were to proactively monitor for criminal activity. Brian Krebs, an investigative reporter focusing on cybercrime, wrote in January 2021 that a "review of the several thousand websites hosted by DDoS-Guard is revelatory, as it includes a vast number of phishing sites and domains tied to cybercrime services or forums online."
 * The company said they ended services for both Hamas and 8chan after learning about the content on the sites from news sources. DDoS-Guard has ended services for various clients after being informed of their activities by journalists, but Meduza wrote that the company would likely need to deny services for a large portion of its client base if they were to proactively monitor for criminal activity. Brian Krebs, an investigative reporter focusing on cybercrime, wrote in January 2021 that a "review of the several thousand websites hosted by DDoS-Guard is revelatory, as it includes a vast number of phishing sites and domains tied to cybercrime services or forums online."
 * The company said they ended services for both Hamas and 8chan after learning about the content on the sites from news sources. DDoS-Guard has ended services for various clients after being informed of their activities by journalists, but Meduza wrote that the company would likely need to deny services for a large portion of its client base if they were to proactively monitor for criminal activity. Brian Krebs, an investigative reporter focusing on cybercrime, wrote in January 2021 that a "review of the several thousand websites hosted by DDoS-Guard is revelatory, as it includes a vast number of phishing sites and domains tied to cybercrime services or forums online."
 * The company said they ended services for both Hamas and 8chan after learning about the content on the sites from news sources. DDoS-Guard has ended services for various clients after being informed of their activities by journalists, but Meduza wrote that the company would likely need to deny services for a large portion of its client base if they were to proactively monitor for criminal activity. Brian Krebs, an investigative reporter focusing on cybercrime, wrote in January 2021 that a "review of the several thousand websites hosted by DDoS-Guard is revelatory, as it includes a vast number of phishing sites and domains tied to cybercrime services or forums online."
 * The company said they ended services for both Hamas and 8chan after learning about the content on the sites from news sources. DDoS-Guard has ended services for various clients after being informed of their activities by journalists, but Meduza wrote that the company would likely need to deny services for a large portion of its client base if they were to proactively monitor for criminal activity. Brian Krebs, an investigative reporter focusing on cybercrime, wrote in January 2021 that a "review of the several thousand websites hosted by DDoS-Guard is revelatory, as it includes a vast number of phishing sites and domains tied to cybercrime services or forums online."
 * The company said they ended services for both Hamas and 8chan after learning about the content on the sites from news sources. DDoS-Guard has ended services for various clients after being informed of their activities by journalists, but Meduza wrote that the company would likely need to deny services for a large portion of its client base if they were to proactively monitor for criminal activity. Brian Krebs, an investigative reporter focusing on cybercrime, wrote in January 2021 that a "review of the several thousand websites hosted by DDoS-Guard is revelatory, as it includes a vast number of phishing sites and domains tied to cybercrime services or forums online."

DDoS-Guard is suspected of hosting multiple Internet scammers responsible for stealing banking data, and one of the world's largest online stores for illegal drugs operates using infrastructure associated with DDoS-Guard. DDoS-Guard also provides services to The Daily Stormer, an American neo-Nazi, white supremacist, and Holocaust denial website and message board.

In December 2022, the European Commission added DDoS-Guard to its "Counterfeit and Piracy Watch List" based on input from copyright holders, which alleged that they were facilitating piracy. Piracy websites that have used the service include Nyaa Torrents and MangaDex.

Verified
Verified is a platform which Meduza has described as "one of the Internet's oldest and most notorious Russian-language forums for credit-card scammers". Meduza reported that beginning in the spring of 2013, Ukrainian national security and cyberpolice began investigating DDoS-Guard for allegedly servicing this platform, and has said this investigation likely led DDoS-Guard to reincarnate itself as a Russian company in 2014. DDoS-Guard has said they have no knowledge of such an investigation.

Russian state
In January 2014, before DDoS-Guard moved to Russia, the company partnered with one of the largest domain registrars in the country, REG.RU. Shortly after, the company began working with clients associated with the Russian state. Beginning in 2016, DDoS-Guard began providing denial-of-service protection to the Russian Ministry of Defence. In 2018, DDoS-Guard helped test the Russian state's deep packet inspection systems. DDoS-Guard works closely with the Russian Central Bank.

HKLeaks
DDoS-Guard hosted a website dedicated to doxing those who participated in the 2019–20 Hong Kong protests. In October 2019, DDoS-Guard acknowledged its business with the doxxing campaign, referring to HKLeaks as "our customer". The company said that they stay out of politics and they receive thousands of abuses claiming that their customer violates the law, but "no legal proofs".

Parler
DDoS-Guard was providing denial-of-service attack protection services to Parler, an American alt-tech social network which was deplatformed by Amazon Web Services and other Internet service providers after the 2021 United States Capitol attack. Wired noted that Parler's choice to use a Russian company for DDoS protection "could expose its users to Russian surveillance if the site someday does relaunch in full with DDoS-Guard" because of the Russian government's projects to isolate the country's internet. In January 2021, the United States House Committee on Oversight and Reform began an investigation into Parler in which they asked Parler for, among other things, information about agreements, documents, and communications with Russian entities. In the letter to Parler requesting this information, committee chair Carolyn Maloney described DDoS-Guard as a company "which has ties to the Russian government and counts the Russian Ministry of Defense as one of its clients".

Kiwi Farms
DDoS-Guard briefly provided denial-of-service attack protection to online stalking and harassment forum Kiwi Farms after Cloudflare canceled services to the site on 3 September 2022. On 5 September 2022, DDoS-Guard dropped them as a client, writing that they had followed a policy of "net neutrality" for years; "however, there are things that are unacceptable for us under any circumstances". They wrote that after receiving multiple complaints, they "analyzed the content of the site" and decided to end service.

FitGirl Repacks
DDoS-Guard provides services for the popular video game piracy website FitGirl Repacks. In 2021, FitGirl Repacks had a dispute with its domain name registrar PublicDomainRegistry (and moved to a different registrar) after The Spamhaus Project named the site on a block list. TorrentFreak stated that the incident may have been caused by other customers of DDoS-Guard engaging in spamming.

Sci-Hub
In 2017, a U.S. court ordered all internet infrastructure companies to stop doing business with Sci-Hub, the shadow library which shares scholarly papers without regard to copyright. As a result, Sci-Hub switched from Cloudflare to DDoS-Guard for DDoS protection. Sci-Hub founder Alexandra Elbakyan says that DDoS-Guard initially contacted her, and that the company volunteered that it works with piracy sites including Rutracker.org. Some experts identify Sci-Hub's use of DDoS-Guard as a security risk given its involvement with the Russian state and that it could monitor Sci-Hub's traffic. Elbakyan says she pays DDoS-Guard about US$1,000 per month (one sixth of Sci-Hub's operating budget), all for DDoS protection; an expert found this amount credible.

Projects
In January 2014, the company partnered with one of the largest domain registrars in the country, REG.RU. In October 2017, DDoS-Guard's software was integrated with ISPmanager, which is a hosting control panel developed by ISPsystem.