Bulletproof Hoster or Proxy Provider? Wrong — It’s Both, or Even More.

Thibault Seret

In recent years, bulletproof hosting providers have started to shift their public face. Instead of openly offering “no-questions-asked” infrastructure, many now operate under the label of proxy or VPN services — some even appearing as bandwidth-sharing or residential proxy platforms.

This evolution is not accidental; it’s a calculated move to reduce legal risk, avoid attention, and make infrastructure investigations much harder. This talk will explore how and why this shift is happening. We'll look at the legal and operational pressures driving this change, and how these providers are adapting to stay relevant — and profitable — in a more hostile environment. At the same time, the technical lines between traditional bulletproof hosting and proxy infrastructure are becoming increasingly blurry, making attribution and threat tracking more challenging.

Using real-world case studies, we’ll break down examples of this hybrid model in action — infrastructure that looks like a proxy service, but behaves like a bulletproof host. The aim is to help defenders, researchers, and decision-makers better understand the tactics behind this shift, and what to watch for when “just a proxy” might be hiding a much bigger problem. Because when everyone’s looking for malware, sometimes the real threat is the middleman.