CyberBunker: German Court Convicts Bulletproof Hosting Operators in Landmark Case
For the first time in German history, the operators of a hosting company have been held responsible under criminal law for the crimes committed by their clients. The verdict might have a significant chilling-effect for hosting companies. On the other hand, the prosecution was not able to prove a key point of its indictment.
Last year, I reported from the opening session of the CyberBunker case in Trier. This case, which is probably the largest and most elaborate cybercrime trial in the history of Germany, ended today with the conviction of all eight defendants. This marks the first time that operators of a hosting company were held responsible for their customers' content. Nevertheless, the verdict is a bitter blow for the prosecution.
In the trial dealing with the bulletproof hosting company in a former nuke-proof german army bunker on the Moselle, the court has sentenced all eight defendants, seven men and one woman, to prison sentences. The trial is considered a milestone in German jurisprudence, as it marks the first time that the operators of a data centre were held indirectly responsible for crimes committed by their customers. The Trier Regional Court considered it proven that the eight defendants had formed a criminal organisation and directly advertised their services to criminals.
Side note: Even though some of the defendants' names are well known and a matter of record on the public internet, I’m going with established German journalistic best practices in only identifying the defendants by the first letter of their last name (adding the surname initial if that is necessary to tell them apart). I am aware that some defendants are identified in other articles, but there is nothing I can do about that. I also can’t change the fact that some German publications like Bild and Der Spiegel have eschewed this well-established practice required by the German press code.
Mr X, the Dutch main defendand and mastermind behind the plan to convert the old Bundeswehr bunker into a bulletproof data centre, was sentenced to five years and nine months in prison – the prosecution had demanded seven years and six months. His eldest son, X.O., faces four years and three months behind bars. Another five defendants were sentenced to prison terms of between three years and two years and four months. The court sentenced the eighth accused to one year’s imprisonment, which was handed out as a suspended sentence. Except for this eighth defendant, who was still considered a juvenile offender at the time of the arrest warrant, the defendants had already been in pre-trial detention since September 2019.
Heavy Defeat for the Public Prosecutor’s Office
The court agreed with the prosecution’s assessment that the defendants had formed a criminal organisation for the sole purpose of profiting from the crimes of other people. However, when it came to the charge of aiding and abetting more than 250,000 crimes committed by the hosting company’s clients, the court acquitted all defendants. This is a bitter blow to the prosecution, which had considered this to be proven beyond reasonable doubt. Most of the huge trial, which lasted over a year, had been spent on documenting the crimes committed by CyberBunker customers and then proving that the data centre operators knew about them.
Of the eight defendants, only one had made a partial confession. Mr R., who had worked his way up in the bunker hierachy to become a sort of executive and right-hand man to the main defendant Mr X., had admitted in August to having deliberately turned a blind eye to the criminal activities of some of the data centre’s customers. As a result, the arrest warrant against him was suspended by the court – under vehement protest from the public prosecutor’s office.
It is almost certain that the CyberBunker case will continue to occupy the German court system. Even before the verdict was announced, one of the defence lawyers said that he would appeal the case if there was a conviction. If necessary, they said, they’d appeal to the Federal Court of Justice. An appeal to the Federal Constitutional Court is also being considered. Such a move is not entirely out of the question, as this case is an important precedent in case law that, in the future, could make it easier to prosecute hosting providers for the content that customers host on their servers. Although this precedent is probably not as serious as it could have been if the prosecution had managed to prove that the operators aided and abetted the crimes of their customers.
An Unprecedented Case
The elaborate trial in the picturesque town on the Moselle had begun in October 2020. The complicated nature of the trial was mainly due to the fact that for the first time in German court proceedings dealing with cybercrime, it was not the perpetrators who were the focus of the trial, but their hosting provider.
It took two trial days per week, during more than a year of proceedings, to sift through the enormous treasure trove of data that the investigators had unearthed during the raid on the bunker in 2019. Among other data, the investigators had gotten their hands on the internal email system of the bulletproof hosting company. These emails, according to the prosecution, were mostly unencrypted and contained much of the operators' communications – both with each other and with their customers.
According to investigators, the bunker on the Moselle hosted four large darknet marketplaces: Cannabis Road, Wall Street Market, Fraudsters and Flugsvamp 2.0. Also served from the hosting company’s servers were three trading sites for experimental synthetic drugs from China and a link list of more than 6500 websites on the Tor network that sold drugs, counterfeit money, contract killings, illegal weapons and child pornography. Finally, the defendants' data centre in Traben-Trarbach had also housed the six command-and-control servers of the Mirai botnet. Which, among other things, was used to crash more than one million Deutsche Telekom routers in a failed attack in November 2016. The prosecution claimed the defendants, on their own initiative, had offered help to the now also-convicted owner of the Mirai botnet when his C&C server addresses were blocked by anti-spam providers. In other words: They had tried to sell premium services to the botnet operator to keep his bots functioning.
It is remarkable that, despite the sheer amount of evidence – including from the bunker’s internal email system – the prosecution failed to prove beyond reasonable doubt that the defendants had aided and abetted their clients' crimes.
A Jumble of Follow-Up Cases
The offences committed by CyberBunker customers were mainly violations of the Narcotics Act and the New Psychoactive Substances Act in Germany – i.e. trafficking in illegal sunstances or drugs. The Swedish police estimated that the Flugsvamp 2.0 marketplace alone accounted for more than 90% of the Swedish drug trade.
So far, 227 follow-up cases against customers of the bulletproof hosting company have resulted from the data analysed in the CyberBunker proceedings in Trier. Most of them, however, had to be dropped because the investigators were not able to identify the customers in question. However, some of these proceedings are still ongoing. The biggest follow-up case to the CyberBunker trial was the investigation against the underground marketplace DarkMarket, which was busted in January. Procecutors called it the world’s largest darknet marketplace. In that case, a man and a woman will have to answer to the Trier Regional Court in a trial starting on 16 December. This case, in turn, has led to 150 arrests around the world as part of “Operation Dark HunTOR”, which targeted sellers and buyers on darknet platforms.
The authorities had surveilled the CyberBunker operators for a long time and also monitored the sites hosted by their customers in order to intercept and seize narcotics and forged documents traded over these platforms for evidence. Investigators infiltrated the data centre in the bunker with an undercover operative who worked as a gardener and day labourer on the bunker premises. In this way, the investigators were able to raid the bunker while the operators were having dinner in a restaurant in Traben-Trarbach at the invitation of the undercover operative. After the raid, the trail process took its course and it does not seem to have reached its end with the current verdict, if one can believe the announcements of the defence lawyers about a threatened appeal. Apparently, the data centre in the Cold War bunker will keep the German courts busy for a while yet.
Header image: The main defendent and his sons in front of the Große Jugendkammer at the Landgericht Trier, awaiting the verdict in the CyberBunker case — Photo by Mario Zender (WochenSpiegel Cochem)