Listen to this Post

Introduction
Cybersecurity threats are evolving at an alarming pace, and new revelations highlight how organized malicious infrastructures are being leveraged to breach corporate systems worldwide. In mid-2025, cybersecurity researchers uncovered a Ukrainian network launching large-scale brute-force and password spraying campaigns aimed at SSL VPNs and Remote Desktop Protocol (RDP) devices. These attacks demonstrate the growing sophistication of cybercriminal groups who exploit bulletproof hosting providers and offshore networks to remain untouchable.
Full Findings
Between June and July 2025, Ukrainian autonomous system FDN3 (AS211736) was flagged by Intrinsec, a French cybersecurity firm, for massive brute-force and password spraying campaigns. Investigators linked FDN3 to two other Ukrainian networks—VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950)—as well as a Seychelles-based network, TK-NET (AS210848). These networks, first allocated in 2021, were designed to exchange IPv4 prefixes to evade blocklists and sustain abusive activity.
VAIZ-AS currently runs the 185.156.72[.]0/24 prefix, while ERISHENNYA-ASN controls 45.143.201[.]0/24 and 185.193.89[.]0/24. Much of their infrastructure overlaps with TK-NET, which has direct ties to IP Volume Inc., a Seychelles company infamous for bulletproof hosting and owned by individuals previously behind Ecatel—one of Europe’s most notorious cybercrime hosts since 2005.
The investigation revealed that prefixes from these Ukrainian and Seychelles-based networks were funneled into FDN3 in June 2025. One particular range, 88.210.63[.]0/24, had previously been controlled by U.S.-based Virtualine and is now associated with record-breaking brute-force campaigns seen between July 6–8, 2025.
These attacks, lasting up to three days at a time, targeted SSL VPNs and RDP devices. Cybersecurity experts emphasized that ransomware-as-a-service (RaaS) groups such as Black Basta, GLOBAL GROUP, and RansomHub frequently exploit these weak points as their initial entry vector into corporate networks.
Further overlaps revealed that additional FDN3 prefixes, such as 92.63.197[.]0/24 and 185.156.73[.]0/24, originated from TK-NET and were connected to Bulgarian spam networks like ROZA-AS. The similarities in creation dates, hosted content, and shared infrastructure strongly suggested that these networks are run by a single bulletproof hosting administrator.
Researchers also connected FDN3’s operations to Alex Host LLC, a Russian company tied to bulletproof services previously linked with Doppelganger operations. Offshore ISPs like IP Volume Inc. continue to shield these networks through anonymous shell companies such as Global Internet Solutions, Verasel, and Telkom Internet LTD, making it nearly impossible to hold them legally accountable.
Adding to the concerns, Censys identified a connect-back proxy system tied to the PolarEdge botnet, active across 2,400 hosts. This RPX server infrastructure acts as a reverse proxy, potentially enabling threat actors to manage large botnets and disguise malicious traffic.
Together, these findings paint a disturbing picture of coordinated cybercrime infrastructures operating across Ukraine, Russia, Seychelles, and beyond.
What Undercode Say:
The rise of brute-force attacks tied to Ukrainian networks underlines how cybercrime has shifted from isolated hackers to complex, distributed infrastructures. Let’s break down what this means:
Bulletproof Hosting’s Role
Bulletproof hosting services like IP Volume Inc. are the backbone of cybercrime ecosystems. These providers knowingly allow spamming, malware, and botnet operations while hiding behind shell corporations in offshore jurisdictions. Their anonymity shields cybercriminals from legal accountability.
Cross-Border Cooperation Among Cybercriminals
The cooperation between Ukrainian, Russian, and Seychelles-based networks demonstrates a well-oiled criminal machine. Attackers swap prefixes and peer agreements, ensuring that when one IP block is flagged, traffic can quickly shift to another.
Brute-Force as an Entry Point
Brute-force and password spraying remain low-cost yet highly effective tactics. By targeting VPNs and RDPs, attackers exploit human error—weak or reused passwords—before launching ransomware attacks that can cripple businesses.
Why Offshore Matters
Offshore ISPs in places like Seychelles provide cover for these operations. By offering legal gray zones and anonymity, they allow malicious infrastructures to thrive without fear of being dismantled.
Implications for Businesses
Companies that fail to secure remote access systems remain at the mercy of attackers. A single weak VPN credential could allow ransomware groups to infiltrate and demand millions in ransom.
The Link to Ransomware-as-a-Service (RaaS)
Groups such as Black Basta and RansomHub thrive on these brute-force attacks. Once they gain entry, they launch double-extortion ransomware campaigns—encrypting files while threatening to leak stolen data.
The PolarEdge Connection
The discovery of the PolarEdge proxy infrastructure running on over 2,400 hosts shows that attackers are building scalable, modular systems. Even if unrelated to PolarEdge directly, the proxy network demonstrates how cybercriminals manage vast infrastructures while staying hidden.
A Growing Trend
This is not an isolated case. The overlaps in prefixes, creation timelines, and ownership point to a coordinated and long-term cybercriminal strategy dating back to 2021. This pattern suggests these networks will continue to evolve, shifting between ISPs to avoid takedowns.
What Needs to Be Done
Global cooperation is required to tackle offshore ISPs that fuel cybercrime. Without stronger international laws and sanctions, bulletproof hosting providers will continue to operate in jurisdictions that protect them.
Final Analysis
The Ukrainian FDN3 network is just one cog in a much larger cybercriminal wheel. By combining brute-force attacks, bulletproof hosting, and offshore cover, these groups have perfected a formula that businesses and governments must urgently address.
✅ Fact Checker Results
The FDN3 network was indeed flagged for brute-force and password spraying attacks.
Evidence confirms overlap between Ukrainian, Russian, and Seychelles-based networks.
Links to bulletproof hosting providers such as IP Volume Inc. are documented and verified.
🔮 Prediction
The next wave of attacks will likely target cloud-based infrastructures and managed service providers (MSPs), as brute-force attempts expand beyond VPNs and RDPs. Offshore bulletproof hosts will continue shielding cybercriminals until international enforcement tightens. Expect more ransomware outbreaks powered by these very infrastructures.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




