DDOS-GUARD - Yet Another Bulletproof Hosting Company

I woke up one beautiful morning to find a Steam message (8 of the same messages about an hour apart) from a man self-representing himself as a Jew informing me of a Karambit CS:GO knife that I supposedly forgot to retrieve. This would be the first time that someone of the Jewish faith reached out to me directly to give me something for free, so naturally, my instincts told me this was going to be fun. I, being the professional internet man that I am, visited the website and was presented with a shitty steam phishing page. Nothing unusual about that, the internet is full of phishing pages and people to this day continue to fall for phishing websites even though this got old sometimes back in 2010 (kind of on-par with Google Dorks).

The steam phishing page in question, hosted on skinlux(.)work - As it appeared April 18th, 2020

Unfortunately for skinlux.work and their respective hosting company, I did not have much to do this week and decided to go down the rabbit hole that is investigating their hosting company and reporting on anything I could find.

Whois records for Skinlux(.)work show that the domain was registered on March 30th of 2020 via eNom. While the whois information is redacted/private, the nameservers showed that the domain was utilizing Cloudflare for reverse-proxy purposes. I headed on over to Cloudflare's Abuse Reporting Form and reported the domain for hosting a phishing page. While Cloudflare will help malicious pages like this hide their real IP and hosting company, Cloudflare often responds to abuse/phishing reports and provides the reporting party with the hosting provider's name and abuse contact email.  You can see their reply in regards to my report below:

Reply from Cloudflare to my abuse report - Response received April 18th, 2020

After Cloudflare provided me with the hosting provider's name and abuse email, it was only a matter of some googling and OSINT to get all the information below.

DDOS-GUARD CORP / DDOS-GUARD LTD operates under the domain ddos-guard(.)net and AS numbers AS57724 and AS262254 with majority of their IP's located in Russia (AS262254 is the one with IP's reporting in Belize). They are a registered company in Belize with the registration number 173694, you can reach out to ibcbelize.com in order to perform a 'search' of the company in which you pay them $25 to get the Registered Agent, Agent's Address, Registered Office, Public Investment and the Registered Documents, but I don't care enough to pay for that. They are also a limited liability corporation in Russia which you may find by searching at https://egrul.nalog.ru/index.html with a supposed physical address of House 276, Floor 5, Office 11 on Street of Maxim Gorky in Rostov, 344019 Russia. The two listed persons for the company are Evgeny Anatolevich Marchenko (ЕВГЕНИЙ АНАТОЛЬЕВИЧ МАРЧЕНКО) and Dmitry Vladimirovich Sabitov (ДМИТРИЙ ВЛАДИМИРОВИЧ САБИТОВ) both of whom hold a 50% stake in the company.

Section of the company file for DDOS-Group

The Russian wikipedia article for DDOS-Guard lists Evgeny Marchenko and Dmitry Sabitov as the founders of DDOS-Guard.  DDOS-Guard signed a partnership agreement with Reg.ru (a quasi bulletproof domain registrar) in 2014 to supposedly assist in protecting customers from DDOS attacks. You can read an interview with Dmitry Sabitov here. During this interview, Dmitriy Sabitov says that Evgeny's new passion was fighting DDOS attacks and he was eager to help Evgeny with this task. This begs the question of why an IT company that was supposedly created to provide their customers with "high-quality services at affordable prices" and to "get rid of the headaches that are DDOS attacks" is now responsible for hosting thousands of malicious websites with no end in sight.

Evgeniy Marchenko
Map of IP's assigned to AS57724 - As it appeared on April 18th, 2020

DDOS-Guard(.)net was originally registered on January 1st, 2008 with the nameservers ns3.spyderzwebz(.)com and ns4.spyderzwebz(.)com

The domain was parked and then subsequently dropped on February 1st, 2009 due to a lack of renewal. The domain was re-registered on June 1st of 2011 with the nameservers ns1.reg(.)ru and ns2.reg(.)ru which matches the supposed incorporation date of the company itself.

The domain nameservers were ns1.ddos-guard(.)net ns2.ddos-guard(.)net ns3.ddos-guard(.)net ns4.ddos-guard(.)net ns5.ddos-guard(.)net ns6.ddos-guard(.)net and were amended to ns1.ddos-guard(.)net and ns2.ddos-guard(.)net on February 10th of 2018.

The domain has had Whois privacy enabled for nearly its' whole lifetime except for October 11th, 2017. The whois record on October 11th, 2017 was:

Registrant Contact
Registrant Name: Evgenii Marchenko
Registrant Organization: Private Person
Registrant Street: Vyatskaya str, 55/4-11
Registrant City: Rostov-on-Don
Registrant State/Province: Rostov
Registrant Postal Code: 344065
Registrant Country: RUSSIAN FEDERATION
Registrant Email: support@ddos-guard.net
Registrant Phone: 79282797045
Administrative Contact
Administrative Name: Evgenii Marchenko
Administrative Organization: Private Person
Administrative Street: Vyatskaya str, 55/4-11
Administrative City: Rostov-on-Don
Administrative State/Province: Rostov
Administrative Postal Code: 344065
Administrative Country: RUSSIAN FEDERATION
Administrative Email: support@ddos-guard.net
Administrative Phone: 79282797045
Technical Contact
Technical Name: Evgenii Marchenko
Technical Organization: Private Person
Technical Street: Vyatskaya str, 55/4-11
Technical City: Rostov-on-Don
Technical State/Province: Rostov
Technical Postal Code: 344065
Technical Country: RUSSIAN FEDERATION
Technical Email: support@ddos-guard.net
Technical Phone: 79282797045

The number 79282797045 is in fact from the Rostov region of the Russian Federation and is a mobile phone. Searching that phone number led me to discover that a lot of Russian internet users have been complaining regarding spam and phishing pages hosted by Evgeniy Marchenko for years. Once such report on zvonil.octo(.)net describes the following malicious domains:

SPAMM(.)ME - Registered January 7th, 2018 by a Nikolay Kolchanov with an email of e-pay(.)tv@yandex(.)com who hosted his malicious website at 190.115.19(.)218 LACNIC for whom the technical contact was one Evgeniy Marchenko with a telephone number of 79282797045 and email of xengine@mail(.)ru

SPAMMM(.)INFO - Registered on January 12th, 2018 via Namecheap and located at 190.115.19(.)218 LACNIC for whom the technical contact was once again Evgeniy Marchenko with the same telephone number and email as the domain above. Spammm(.)info redirected to Goldemails(.)ru at the time of the report (Jan 14, 2018)

MYPAYS(.)Info - Registered January 8th, 2018 by a Nikolay Kolchanov with the email of kolchanov-n@ya(.)ru and also hosted at 190.115.19(.)218 LACNIC for whom the technical contact was one Evgeniy Marchenko with the same telephone number and email as the domains above.

Nikolay Kolchanov has also been the registrant for domains 8800(.)city minisite(.)one partnerlnk(.)net v-kontakte(.)co ellinks(.)org my-kassir(.)org partnerslink(.)me homebusines(.)info partnerlnk(.)com and qwerty40(.)com

Evgeny's business email e.marchenko@ddos-guard(.)net does not currently show up on any WHOIS records, however, his personal email xengine@mail(.)ru has registered two domains: cognitive-machines.com and rostov.pet. Rostov.pet historical whois data shows the following registrant information (click to expand):

Whois records for ROSTOV.PET
Domain Name: ROSTOV.PET
Registry Domain ID: D503300000006126772-LRMS
Registrar WHOIS Server:
Registrar URL: http://www.key-systems.net
Updated Date: 2017-04-09T19:46:12Z
Creation Date: 2016-02-25T14:54:39Z
Registry Expiry Date: 2018-02-25T14:54:39Z
Registrar Registration Expiration Date:
Registrar: Key-Systems, LLC
Registrar IANA ID: 1345
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: pendingDelete https://icann.org/epp#pendingDelete
Domain Status: serverHold https://icann.org/epp#serverHold
Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod
Domain Status: redemptionPeriod https://icann.org/epp#redemptionPeriod
Registry Registrant ID: C167765369-LRMS
Registrant Name: Evgeny Marchenko
Registrant Organization: Private Person
Registrant Street: Vyatskaya str
Registrant Street: 55/4-11
Registrant City: Rostov-on-Don
Registrant State/Province: Rostov
Registrant Postal Code: 344056
Registrant Country: RU
Registrant Phone: +7.9282797045
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: support@ddos-guard.net
Registry Admin ID: C198903919-LRMS
Admin Name: Evgeny Marchenko
Admin Organization: Private Person
Admin Street: Vyatskaya str
Admin Street: 55/4-11
Admin City: Rostov-on-Don
Admin State/Province: ROSTOV
Admin Postal Code: 344056
Admin Country: RU
Admin Phone: +7.9282797045
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: xengine@mail.ru
Registry Tech ID: C198903924-LRMS
Tech Name: Evgeny Marchenko
Tech Organization: Private Person
Tech Street: Vyatskaya str
Tech Street: 55/4-11
Tech City: Rostov-on-Don
Tech State/Province: ROSTOV
Tech Postal Code: 344056
Tech Country: RU
Tech Phone: +7.9282797045
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: xengine@mail.ru
Name Server: NS7.EXPIRATIONWARNING.NET
Name Server: NS3.EXPIRATIONWARNING.NET
DNSSEC: unsigned

Now let's take a look at some random websites that are utilizing DDOS-Guard nameservers and see if they serve any sort of legitimate purpose because after all I may just be a retard and not know what I'm talking about. Keep in mind I'm not selectively choosing malicious domains, I'm just grabbing random ones from THIS LIST, your mileage will not vary, I promise.

Domain #1 - Benjiro(.)io

Utilizing ddos-guard(.)net nameservers, hosted at 190.115.18(.)235 (DDOS-GUARD CORP) and mail.tutanota(.)de (back to 2010 we go) for the mail server.

Benjiro.io claims to allow users to deposit bitcoin, ethereum and other cryptocurrency and earn 2.1% every day for a period of 20 days. This would mean a 42% return on investment within the 20 day period. Seem to good to be true, I implore you to invest and tell me what happens.

Domain #2 - Cryptosub(.)net

Utilizing ddos-guard(.)net nameservers, hosted at 190.115.30(.)136 (DDOS-GUARD CORP) and mail.cryptosub(.)net for the mails erver.

Claims to reward users for promoting crypto currencies and "get highly rewarded for that". Open ports on this IP indicate that this website is hosted on a cPanel server hosted on DDOS-GUARD.

Domain #3 - Free-bitcoin2020(.)com

Same as Cryptosub but hosted at DDOS-Guard IP 190.115.30(.)178, also cPanel. Shitty website with broken English (spoiler alert: most of these sites are shitty and use broken English).

Domain #4 - Oastland(.)biz

Appears to be a woodworking company but in reality they offer an investment options of 5% to 7% daily growth if you invest with cryptocurrencies. Once again a cryptocurrency scam website with DDOS-GUARD DNS servers, A record and mail server. Hosted at IP 190.115.30(.)251 (cPanel).

Domain #5 - Lazy-Revenge(.)com

Another scam website that is a self-proclaimed "high-profile matric project f new generation where all participants are lined from left to right closing each other tables." Yet again hosted with DDOS-Guard and residing on public IP 190.115.21(.)197 (cPanel)

Domain #6 - BitProFund(.)com

A "Safe, high yield industry-specific solution for Private ivestors, Families and more.) offering cryptocurrency investment options thats scale as high as 250% a day.  Everything hosted with DDOS-Guard, A record of 190.115.21(.)230 (cPanel).

Domain #7 - TopVest(.)ltd

Another cryptocurrency investment scam. Resides on 185.178.208(.)154 so not a cPanel site but still hosted with DDOS-Guard, still a scam, but hosted in Russia rather than an IP pretending to be in Belize.

Domain #8 - Gold8(.)io

Another cryptocurrency scam. Utilizes DDOS-Guard for DNS, web hosting and email. Utilizes public IP's 190.115.18(.)117 for web hosting and has a record for 190.115.21(.)235 for mail

Domain #9 - TurboTaxLogin(.)us

Company claming to provide third-party support for TurboTax. Definitely a scam. Who would've guessed, it's also hosted with DDOS-Guard and utilizes the IP of 190.115.26(.)62. Also appears to be just one site out of thousands of sites owned by contactassistance.com which is listed as a company called Callspartner located in Delhi, India (but no such entity exists according to India's company search). Most likely a VPS/Dedicated server just for Callspartner as there are a lot of scam support sites under that IP, see screenshot below.

Just 23 out of 5,170 domains pointing to 190.115.26(.)62

Records for contactassistance(.)com show the following information throughout the life of the domain (click to expand as it is a shitton of retarded data). Not even joking, these retards could have a hundred blog posts on just their sites and scummy practices alone.

Whois Records for ContactAssistance(.)com
April 24, 2014
Domain Name: CONTACTASSISTANCE.COM
Updated Date: 21-Mar-2014
Creation Date: 20-Mar-2014
Registrar Registration Expiration Date: 20-Mar-2015
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Domain Status: clientTransferProhibited
Registrant Name: Nathanniel carter
Registrant Organization: Assit group
Registrant Street: 01bp58245 abj 01
Registrant City: Abidjan
Registrant State/Province: lagune
Registrant Postal Code: 584
Registrant Country: CI
Registrant Phone: +225.22501457845
Registrant Email: alexisabat00@gmail.com
Admin Name: Nathanniel carter
Admin Organization: Assit group
Admin Street: 01bp58245 abj 01
Admin City: Abidjan
Admin State/Province: lagune
Admin Postal Code: 584
Admin Country: CI
Admin Phone: +225.22501457845
Admin Email: alexisabat00@gmail.com
Tech Name: Nathanniel carter
Tech Organization: Assit group
Tech Street: 01bp58245 abj 01
Tech City: Abidjan
Tech State/Province: lagune
Tech Postal Code: 584
Tech Country: CI
Tech Phone: +225.22501457845
Tech Email: alexisabat00@gmail.com
Name Server: ns1.contactassistance.com
Name Server: ns2.contactassistance.com 
November 22, 2016
Domain Name: contactassistance.com
Registrar URL: http://www.godaddy.com
Creation Date: 2016-11-21T16:21:43Z
Registrar Registration Expiration Date: 2017-11-21T16:21:43Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registrant Name: Abhishek Malhotra
Registrant Street: G40
Registrant Street: Vikaspuri
Registrant City: New Delhi
Registrant State/Province: Delhi
Registrant Postal Code: 110018
Registrant Country: IN
Registrant Phone: +91.1128543236
Registrant Email: sunny_vgame@yahoo.com
Admin Name: Abhishek Malhotra
Admin Street: G40
Admin Street: Vikaspuri
Admin City: New Delhi
Admin State/Province: Delhi
Admin Postal Code: 110018
Admin Country: IN
Admin Phone: +91.1128543236
Admin Email: sunny_vgame@yahoo.com
Tech Name: Abhishek Malhotra
Tech Street: G40
Tech Street: Vikaspuri
Tech City: New Delhi
Tech State/Province: Delhi
Tech Postal Code: 110018
Tech Country: IN
Tech Phone: +91.1128543236
Tech Email: sunny_vgame@yahoo.com
Name Server: NS01.DOMAINCONTROL.COM
Name Server: NS02.DOMAINCONTROL.COM
April 19, 2018
Domain name: contactassistance.com
Creation Date: 2016-11-21T08:21:43Z
Registrar Registration Expiration Date: 2019-11-20T16:00:00Z
Registrar: ERANET INTERNATIONAL LIMITED
Registrar IANA ID: 1868
Registrar Abuse Contact Email: cs@now.cn
Registrar Abuse Contact Phone: +867563810566
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registrant Name: Prateek kapoor
Registrant Organization: Callspartner
Registrant Street: 58C JG3 Vikas Puri
Registrant City: Delhi
Registrant Province/state: Delhi
Registrant Postal Code: 110018
Registrant Country: IN
Registrant Phone: +91.9990609669
Registrant Fax: +91.9990609669
Registrant Email: callsmaster.india@gmail.com
Admin Name: Prateek kapoor
Admin Organization: Callspartner
Admin Street: 58C JG3 Vikas Puri
Admin City: Delhi
Admin Province/state: Delhi
Admin Postal Code: 110018
Admin Country: IN
Admin Phone: +91.9990609669
Admin Fax: +91.9990609669
Admin Email: callsmaster.india@gmail.com
Tech Name: Prateek kapoor
Tech Organization: Callspartner
Tech Street: 58C JG3 Vikas Puri
Tech City: Delhi
Tech Province/state: Delhi
Tech Postal Code: 110018
Tech Country: IN
Tech Phone: +91.9990609669
Tech Fax: +91.9990609669
Tech Email: callsmaster.india@gmail.com
Name Server: ns200.01isp.com
Name Server: ns201.01isp.net
Billing Name: Prateek kapoor
Billing Organization: Callspartner
Billing Street: 58C JG3 Vikas Puri
Billing City: Delhi
Billing Province/state: Delhi
Billing Postal Code: 110018
Billing Country: IN
Billing Phone: +91.9990609669
Billing Fax: +91.9990609669
Billing Email: callsmaster.india@gmail.com

Domain #10 - Rex-Consulting(.)biz

Oh wow who would've guessed, another fucking cryptocurrency investment site with a 110% weekly return (lmfao). Can you guess what nameservers they use? 190.115.30(.)224 for IP and MX records. Yes it's DDOS-GUARD, they all are.

Domain #11 - Game-of-thrones(.)me

No way that a domain following a show is a cryptocurrency investment site, oh wait, yeah it fucking is. They use a DDOS-GUARD owned IP of 190.115.21(.)204 and also operate a mail server at 116.203.113(.)89 which is, suprisingly Hetzner, another great hosting company.

Domain #12 - Skladchik.biz

Basically a warez site, which is whatever, seems to be focused on posting training courses and webinars from a shitton of different fields.  They use a DDOS-GUARD IP of 186.2.163(.)63 and THEFIRST-AS IP's of 188.120.239(.)242 and 62.109.21(.)86 for their mail servers. One could argue this is the first out of the 12 domains I've opened that serves a non-scamming purpose (but don't quote me on that).

Domain #13 - CrdClub(.)su

Carding forum with no MX records, obviously follows the trend of using DDOS-GUARD nameservers. Also has a shitton of pointless A records all pointing to DDOS-GUARD IP 186.2.163(.)93

Domain #14 - Balenciaga-Market(.)ru

Online store with counterfeit Balenciaga products. All hosted on DDOS-Guard and using IP of 185.178.208(.)153

I could keep going but it's kind of pointless, going down the list all you'll find is cryptocurrency investment scams, telephone support scams, carding forums and maybe a couple of businesses that appear to be legitimate. All I know is that the majority of the domains I looked at are all scams. The fact that nearly all these website continue to stay online is proof in of itself that majority of DDOS-Guard's revenue comes from hacking groups and scammers. One could infer that they must cater to such customers or at the very least invite them to use their services by failing to remove malicious actors off their network.  

DDOS-Guard acts against their own published Acceptable Use Policy (AUP) in allowing the majority of their customers to continue to operate. Given that over 75% of their customer base is engaged in 'attempting without authorization to access a computer system', 'pirating (distributing copyrighted material in violation of copyright law)', as well as 'gambling; schemes to defraud;' it goes to show that they do not actually enforce their own AUP.  

DDOS-GUARD's AUP as seen on 4/18/2020

Reading their AUP does have its benefits though. We get to find out that they now refer to themselves as COGNITIVE CLOUD L.P. which is a company registered in the United Kingdom. Their UK company was registered on November 24th, 2017 and has an LP number of SL032463 with a registered office address of 18 S1 Forth Street, Scotland, United Kingdom, EH1 3LH.

CompaniesHouse registration of Cognitive Cloud L.P.

The address listed for the company is one of hundreds of virtual office addresses available on various sites including Regus.de

One other address that shows up on some of the filings for their UK company is Golden Cross House, 8 Duncanno Street, Office 504, London WC2N 4JF, UK which is another virtual office.

The UK company lists Evgenii Marchenko (DOB Feb 1982) and Aleksei Likhachev (DOB October 1967) as the two active persons with significant controls. Aleksei Likhachev is listed as the CISO of DDOS-GUARD LTD on TAdviser.com and Xing.com

Photo of Aleksei Likhachev from Xing.com

Anyway, now that I've established what the average customer of DDOS-Guard looks like, it's time to talk about the people behind it.

Evgeny Marchenko was born on 02/27/1982 and is currently the General Director of DDOS-Guard which has a PSRN number of 1149204010988 and was registered on 07/29/2014 with an authorized capital of 10 000 rubles. He attended Don State Technical University (DTSU). He is also the General Director of Cognitive Machines, a joint stock company with the PSRN of 1166196090862 registered on 08/05/2016 with an authorized capital of 750 000 rubles and located at 344019, Rostov region, Rostov-on-Don, Maxim Gorky street, house 276 floor 5, office 19,20,23.

Dmitry Vladimirov Sabitov is currently the General Director of DDOS-Guard as well as the General Director of ISK LLC a/k/a 'Information Systems Consulting' with the PSRN number 1187746325029 which was registered on 03/22/2018 with an authorized capital of 10 000 rubles and an address of 115407, Moscow city, Nagatinskaya embankment, building 56a, underground pom I to 9 of 1.

During the course of my autistic 'investigation', I also found plenty of reviews on various forums regarding DDOS-Guard complaining that the company is full of liars, that the stability and latency of the network is sub-par and that the ddos protection barely even works. Imagine you create a DDOS protection service that sucks so much penis you have to restort to providing services to low-life scum that is telemarketing scammers and phishing page owners as they don't care about latency and shitty service.

It's also important to note that AS262254 was once named Dancom Ltd (and continues to be broadcasted as such in a lot of places) and has had reports regarding bitcoin scams and phishing pages by various sources, most notably, Cisco Umbrella which referred to the AS262254 by its 'other' name DANCOM LTD and listed it as being a part of the DDOS-GUARD bulletproof hosting structure. MalwareURL also lists several malicious domains and IP's originating from AS262254 which you can review here.  Dancom LTD is an inactive company in Belize with the registration number 115964 so its pretty safe to say that Dancom LTD is now DDOS-Guard LTD.

As you can see, these activites havn't exactly gone unnoticed, even being reported on on the RIPE mailing list where the mentioned ASN's were registered by the same party using different company names and addresses. One of the ASN's that was registered was the ASN that now belongs to DDOS-GUARD AS57724 and it was originally registered with the domain id-trafic.ro

Hosting providers like this have popped up and disappeared throughout the better part of two decades and I don't think we'll see anything changing any time soon. I'll add more info and other parts to this as I have time to research more.