Executive Summary and Provider Overview
Quick-Reference Attributes
| Common Names | DEDBROPRO; DedBro; DEDBRO; dedbro.pro |
|---|---|
| Node Type | Bulletproof Hosting Provider |
| Status | Active — AS operational; Carder.su advertising confirmed March 2026; malware hosting and C2 documented through May 2025 |
| Entity Registration Jurisdiction | Estonia (EE) — Vault Dweller OU (ORG-VDO2-RIPE), Lasnamaee linnaosa, Majaka tn 26, 11412 Tallinn. Registered as an LIR (Local Internet Registry) under RIPE. [13] |
| Infrastructure Hosting Jurisdiction | Bulgaria (BG) — assessed primary, per IP geolocation of documented C2 endpoints (195.82.147.x). Estonia (EE) — AS registration jurisdiction. [6][7] |
| Operator Location | Unknown — no named individual identified in open sources. Estonian entity registration does not confirm operator nationality or physical location. |
| Active Period | AS203834 created 2022-07-19; first ThreatFox sighting 2024-10-16; first URLhaus listing 2025-03-18; Carder.su advertisement confirmed March 2026. [1][7][9][2] |
| Primary ASN | AS203834 — dedbropro-as (Vault Dweller OU, Estonia) |
| IPv4 Prefix | 195.82.146.0/24 — single confirmed /24 allocation. C2 activity documented in adjacent 195.82.147.x space. [11][12] |
| Upstream Transit | AS44901 — Belcloud (Bulgaria); AS20764 — CJSC RASCOM (Russia). [11][14][15] |
| Abuse Contact | abuse@dedbro.pro (RIPE record); @dedbropro (Telegram); xmpp@dedbro.pro (Jabber). [3][2] |
| Billing Platform | cp.dedbro.pro — ISPmanager / billmgr (confirmed via direct site fetch). [3] |
| Sanctions | None — no OFAC, EU, or UK FCDO designations against entity, operator handle, or associated wallets as of June 2026. |
| ThreatFox Standing | 307 IOCs on AS203834 ASN report (all hosted IOCs); 23 tagged DEDBROPRO-AS sightings; first tag 2024-10-16, last tag 2025-05-30. [1][7] |
| Spamhaus SBL Status | Unknown — operator explicitly states "We do not hold Spamhaus" and promises service suspension if SBL is received. Per-prefix SBL/CBL/XBL status was not confirmed in this pass. [2] |
| Prohibited Activities | CIS-region targeting; email spam; DDoS attacks; child and animal sexual abuse material; terrorism. [2] |
| Payment Methods | Bitcoin and other cryptocurrencies (explicit); no fiat, card, or legacy e-money confirmed. [2] |
| State Nexus Tier | Tolerated Safe Harbor (Tier 2 of 4) — assessed, based on operational persistence without enforcement and dual transit routing through Bulgaria (EU) and Russia (RASCOM). No evidence of active state cooperation or control. |
Overall Assessment
DEDBROPRO (operating as dedbro.pro, brand handle "DedBro") is a newer bulletproof hosting (BPH) entrant offering dedicated servers, NVMe VPS, and VPN services on an explicitly anonymous and abuse-tolerant basis. The provider's infrastructure is registered under the Estonian company Vault Dweller OU (AS203834, dedbropro-as), with operational address-space activity observed primarily in Bulgaria. As of June 2026, DEDBROPRO is actively advertising to criminal audiences via Carder.su and maintains a public English-language commercial website at dedbro.pro that markets services without KYC requirements and accommodates clients whose "projects might encounter issues or complaints." [2][3]
Abuse telemetry from abuse.ch's ThreatFox identifies 307 indicators of compromise hosted on AS203834 over the trailing twelve months, with confirmed SectopRAT and Remcos remote access trojan (RAT) command-and-control (C2) infrastructure in the 195.82.147.x space, and generic malware distribution (unattributed PE executables) from 195.82.146.34 documented by URLhaus beginning March 2025. Criminal forum advertising on Carder.su (March 2026) explicitly endorses use for "scan, brute force and other projects," placing this provider unambiguously in the bulletproof hosting category rather than the privacy-hosting or grey-area hosting categories. [1][7][8][9][2]
No law enforcement actions, arrests, indictments, seizures, or sanctions designations targeting DEDBROPRO, Vault Dweller OU, or identified operators have been documented as of June 2026. The provider's single /24 address block, Estonian entity registration (EU regulatory jurisdiction), and dual upstream routing through a Bulgarian transit provider and a Russian ISP (RASCOM, AS20764) represent the primary structural leverage points available to investigators and network operators seeking to degrade this provider's operational capability. [11][13][14][15]
Lineage and Organizational Heritage
Predecessor and Sibling Analysis
No public evidence links DEDBROPRO or Vault Dweller OU to prior-generation BPH brands (such as Maxided, Yalishanda, Media Land LLC, McColo, or 3FN) or to currently active BPH brand clusters (such as PROSPERO/Bearhost, Zservers, or Stark Industries). AS203834 was created on 2022-07-19, making this a relatively recent autonomous system without the multi-year lineage typical of established BPH conglomerates. The provider is assessed as a newer, independent market entrant rather than a rebrand or shell of an existing criminal infrastructure operation. Confidence: Credible (absence of evidence with moderate search depth; deeper WHOIS history and criminal forum cross-referencing could revise this). [1][11][12][13]
One source in the underlying research attributed IP 195.82.146.34 to "AS47105 dedbropro." Follow-on verification confirms that 195.82.146.0/24 is registered to AS203834 (Vault Dweller OU), not AS47105. AS47105 does not appear in BGP data as a DEDBROPRO-associated ASN. The discrepancy likely reflects stale IP intelligence data in the upstream source's ASN lookup. AS203834 is the sole confirmed autonomous system for this provider. [11][12]
Brand Continuity and Entity Structure
| Entity / Brand | Type | Role | Active Window | Confidence |
|---|---|---|---|---|
| DEDBROPRO / DedBro / dedbro.pro | BPH brand; commercial website; forum advertising identity | Primary consumer-facing brand; sells directly to criminal end-users via website and chat channels | Website live since at least 2024 (copyright footer "© 2024 DEDBRO.RPO"); Carder.su ad March 2026 | Confirmed |
| Vault Dweller OU | Estonian LLC; RIPE LIR (Local Internet Registry) | Corporate shell holding AS203834 registration; abuse contact entity; RIPE organization ORG-VDO2-RIPE | AS203834 created 2022-07-19; RIPE record last updated 2025-03-13 | Confirmed |
| AS203834 (dedbropro-as) | Autonomous System | Network infrastructure backbone; single /24 prefix 195.82.146.0/24; upstream via Belcloud (AS44901) and RASCOM (AS20764) | Created 2022-07-19; abuse activity documented from 2024-10-16 onward | Confirmed |
Evidentiary Pillars
Confirmed The RIPE database records AS203834 with AS-name "dedbropro-as" and organization "Vault Dweller OU." ThreatFox tags abuse.ch IOCs hosted on this ASN with the label "DEDBROPRO-AS." The Carder.su forum thread links the "DedBro" advertising handle to dedbro.pro, Telegram @dedbropro, and Jabber xmpp@dedbro.pro, all consistent with the dedbro.pro commercial brand. Multiple independent sources converge on this attribution. [1][2][3][5][7]
Confirmed abuse.ch ThreatFox's ASN-level tagging confirms that malware C2 IPs (195.82.147.x) detected by the security community resolve within AS203834 (dedbropro-as). URLhaus host records link IP 195.82.146.34 to malware-serving URLs. Both data sources are independent of the Carder.su and dedbro.pro commercial evidence and reinforce the same infrastructure attribution. [1][7][8][9]
Operator Profiles
No named individual, sanctioned person, or indicted defendant has been publicly linked to DEDBROPRO, dedbro.pro, or Vault Dweller OU as of June 2026. The sole operator-attributable identifier is the forum handle "DedBro" used on Carder.su. All operator information below reflects an unknown individual or individuals behind the Vault Dweller OU entity.
2.1 Handle: "DedBro"
| Handle / Aliases | DedBro (Carder.su advertising account); DEDBRO (capitalized brand variant); dedbropro (Telegram handle @dedbropro) |
|---|---|
| Assessed Nationality | Unknown — Estonian entity registration does not imply operator nationality. Russian-language forum advertising on Carder.su is consistent with a Russian or CIS-origin operator but is not determinative. The CIS-exclusion policy (do not target CIS) is consistent with an operator seeking to minimize exposure to domestic law enforcement. |
| Assessed Location | Unknown — no geolocatable signals in open sources. Vault Dweller OU registered in Tallinn, Estonia; physical presence in Estonia is unconfirmed and cannot be inferred from RIPE registration alone. |
| Forum Activity | Carder.su advertising thread, March 2026. Advertising profile categorized as "Guest" (non-member advertiser) on Carder.su. No confirmed activity on Exploit, XSS, WWH-Club, or other major underground forums in open sources for this pass. |
| Current Legal Status | At large — no public arrest, indictment, criminal charges, or sanctions designation. |
| Sanctions Designations | None. |
2.2 Entity: Vault Dweller OU
| Registered Jurisdiction | Estonia (EE) — European Union jurisdiction. |
|---|---|
| RIPE Organization ID | ORG-VDO2-RIPE |
| Registered Address | Lasnamaee linnaosa, Majaka tn 26, 11412 Tallinn, Estonia |
| Phone (RIPE record) | +37125479008 |
| RIPE LIR Status | Registered Local Internet Registry (LIR) — direct RIPE member organization with address space allocation rights. |
| AS203834 Created | 2022-07-19 |
| AS203834 Last Modified | 2024-09-02; last updated 2025-03-13 (per RIPE/BGP data). [4][5] |
| Abuse Contact | abuse@dedbro.pro |
| Sanctions Status | None — Vault Dweller OU does not appear on OFAC SDN list, EU Official Journal sanctions, or UK FCDO consolidated list as of June 2026. |
Disputed Assessments
No major security vendors have published assessments specific to DEDBROPRO as of June 2026. Primary attribution and infrastructure data derive from abuse.ch community feeds (ThreatFox, URLhaus), a researcher disclosure on X (@drb_ra), and direct site and forum analysis. No vendor-to-vendor disagreements exist because no vendors beyond the abuse.ch community have formally assessed this provider in the open. This is an intelligence gap rather than a dispute. Gap: No Formal Vendor Assessments
Operational and Business Model
Service Model
DEDBROPRO operates as a direct-to-criminal bulletproof hosting provider, selling compute infrastructure (dedicated servers, NVMe virtual private servers) and VPN access on an anonymous, no-KYC basis with explicit tolerance for abuse-prone use cases. The service model combines a public English-language commercial website (dedbro.pro) with direct outreach channels (Telegram @dedbropro, Jabber xmpp@dedbro.pro) and criminal forum advertising (Carder.su). The provider's stated value proposition centers on: (1) anonymity ("We do not request KYC, phone number verification, or any other personal identification"), (2) abuse accommodation ("If your project might encounter issues or complaints, please let us know"), (3) DDoS resilience ("Free 500Gbps DDoS Protection"), and (4) round-the-clock human support. [2][3]
The Carder.su advertisement specifies tolerance for "scan, brute force and other projects upon agreement," confirming that the service model explicitly accommodates network scanning, credential brute-forcing, and unspecified additional attack infrastructure, with the euphemism "upon agreement" likely referring to advance disclosure to avoid automated abuse detection by upstream providers. [2]
Verbatim Advertising Copy
"- Scan, brute force and other projects are allowed on the servers upon agreement;"
"- We will select solutions for your tasks;"
"- Round-the-clock support 24/7/365;"
"- We accept bitcoin and other cryptocurrencies."
"Bulletproof dedicated and virtual servers from Bro!"
"How to place an order: You can place an order on the website or directly through our contacts without registration."
"The following is prohibited on servers:
- Work on the CIS;
- E-mail spam;
- DDoS attacks;
- Hosting child and zoo topics;
- Terrorism."
"We do not hold Spamhaus. In case of receiving SBL, the service will be suspended."
"Contacts: Jabber: xmpp@dedbro.pro / Telegram: @dedbropro / Website: dedbro.pro"
"Loyalty — We are dedicated to our clients and always ready to accommodate and find solutions. If your project might encounter issues or complaints, please let us know."
"Anonymously — We do not request KYC, phone number verification, or any other personal identification. Your privacy is our priority."
"24/7/365 Support — Our managers and IT specialists are available to assist with any question at any time."
"Contact us: @dedbropro / abuse@dedbro.pro"
"Abuse report / © 2024 DEDBRO.RPO"
Pricing and Service Tiers
| Product | Entry Price | Specifications | DDoS Protection | Setup Time |
|---|---|---|---|---|
| Dedicated Servers | $149 / month | 1 Gbps shared bandwidth; software RAID; virtual KVM console; OS of choice. Example configs: Xeon E3-1241v3 (8x3.90GHz, 8GB RAM, 120GB SSD) to 2x Xeon Platinum 8268 (96x3.90GHz, 512GB RAM, 2TB SSD) | Free 500 Gbps | 2 hours |
| 10 Gbps Dedicated | $300 / month | Dedicated 10 Gbps channel; VLAN included; iLo / IPMI / KVM on request; any OS. Note: this tier appears on the commercial website but was not included in the March 2026 Carder.su advertisement, suggesting it was added or promoted separately. | Not specified | From 6 hours |
| NVMe VPS | $5 / month (Starter) to $80 / month (Pro) | KVM virtualization; 100 Mbps bandwidth; backups on request. Tiers: Starter (1 vCPU / 512MB / 10GB SSD), Micro ($15), Basic ($25 / 2 vCPU / 2GB / 30GB), Standard ($45 / 4 vCPU / 4GB / 50GB), Pro ($80 / 8 vCPU / 8GB / 100GB), Custom from $15. | Free 500 Gbps | 1 minute |
| VPN | $5 / month | Protocols: OpenVPN, Shadowsocks, L2TP/IPsec, TOR VPN. Protocol of customer choice. | Not specified | 1 minute |
| Custom Solutions | Price on request | "We will select a solution for your project and specific task." Suggests willingness to accommodate bespoke criminal infrastructure requirements. | Varies | Varies |
Discounts are offered for ordering three or more services or for prepayment of three months or more. [3]
Onboarding and Client Acquisition
Onboarding is explicitly low-friction: customers may place orders via the commercial website (cp.dedbro.pro running ISPmanager/billmgr) or "directly through our contacts without registration." The no-KYC and no-phone-verification policy is stated twice across the commercial site and the forum advertisement. Contact channels include the Telegram handle @dedbropro (public, indexed) and Jabber XMPP (xmpp@dedbro.pro), the latter providing encrypted messaging for operationally sensitive discussions. This structure mirrors standard BPH onboarding patterns: a public commercial face for discovery, chat-based sales for friction-free provisioning of abuse-tolerant resources. [2][3]
Abuse Handling and LE Posture
DEDBROPRO's stated abuse posture contains an internal tension that is common to BPH operators seeking to maintain partial legitimacy:
- The Carder.su ad explicitly accommodates "scan, brute force and other projects" — confirming criminal use tolerance.
- The same ad states "We do not hold Spamhaus. In case of receiving SBL, the service will be suspended" — indicating willingness to remove some abusive clients under narrow, blocklist-driven conditions.
- The public website includes an "Abuse report" link and the abuse contact abuse@dedbro.pro — providing cosmetic compliance infrastructure without evidence of meaningful abuse response.
The practical posture, as evidenced by 307 ThreatFox IOCs and sustained malware C2 and distribution hosting from late 2024 through at least May 2025, is abuse-tolerant with selective (and probably rare) enforcement when Spamhaus SBL pressure would threaten the provider's ability to maintain upstream peering relationships. [1][2][3][7]
OPSEC
Operator-level OPSEC indicators: anonymous advertising via forum "Guest" account on Carder.su; Jabber/XMPP contact (encrypted, no phone-linked identity); Telegram (pseudonymous). No Russian-language linguistic slippage visible in available advertising copy. The CIS-exclusion policy functions as a LE-risk management mechanism, reducing the probability of Russian-language victim complaints that could draw domestic attention. Estonian RIPE registration as an LIR adds a layer of apparent legitimacy (recognized regional registry member) while placing the entity in EU jurisdiction where direct law enforcement requests could theoretically be served. [2][3][13]
Technical Capabilities and Infrastructure Footprint
ASN Registration
| Field | Value | Source |
|---|---|---|
| AS Number | AS203834 | [11][12] |
| AS Name | dedbropro-as | [1][5] |
| Organization | Vault Dweller OU (ORG-VDO2-RIPE) | [5][13] |
| Country (Registration) | Estonia (EE) | [1][4][5] |
| Registered Address | Lasnamaee linnaosa, Majaka tn 26, 11412 Tallinn, Estonia | [13] |
| Phone (RIPE) | +37125479008 | [13] |
| Abuse Contact | abuse@dedbro.pro | [5] |
| RIPE LIR | Yes — Vault Dweller OU is a RIPE member LIR with direct allocation rights | [13] |
| AS Created | 2022-07-19 | [4][5] |
| AS Last Modified | 2024-09-02 | [4][5] |
| RIPE Record Last Updated | 2025-03-13 | [4][5] |
IP Ranges and Geolocation
| Prefix | Allocation | Geolocated Country | Documented Use | Confidence |
|---|---|---|---|---|
195.82.146.0/24 |
Confirmed RIPE allocation to AS203834 / Vault Dweller OU | Bulgaria (BG) — per IP intelligence sources; Estonian AS registration | Malware distribution hosting (195.82.146.34 serving 888.exe, AMA.exe per URLhaus) | Confirmed |
195.82.147.x |
Adjacent range; appears in ThreatFox IOC data. Full allocation status of /24 not independently confirmed in this pass — may be part of a larger DEDBROPRO block or a neighboring allocation. | Bulgaria (BG) — per geolocation of 195.82.147.97 in open source data | SectopRAT C2 (195.82.147.132:15747); Remcos C2 unverified (195.82.147.97:443) | Credible (ThreatFox tags as DEDBROPRO-AS; full allocation status not independently confirmed) |
Data Center Footprint
DEDBROPRO's marketing claims "high-quality equipment located in the world's leading data centers" and offers hardware configurations consistent with a dedicated server reseller or colo customer rather than a facility owner. IP geolocation data (Bulgarian geolocations for C2 IPs) is consistent with the Belcloud (AS44901) upstream peering, which is a Bulgarian transit provider. No specific facility names or addresses in Bulgaria or Estonia are documented in open sources. Given the single /24 address block and startup-scale pricing structure, DEDBROPRO almost certainly leases rack space or individual server units from one or more wholesale providers rather than owning physical data center infrastructure. [3][6][11]
Upstream Transit Provider Chain
AS203834 (dedbropro-as) peers with two upstream transit providers, confirmed via BGP data: [11][14][15]
| ASN | Name | Country | Tier | Notable Upstreams | Significance |
|---|---|---|---|---|---|
AS44901 |
Belcloud | Bulgaria (BG) — EU | Regional transit / IP transit provider | Seabone (AS6762), Hurricane Electric (AS6939), Telefonica (AS12956), Level3/Lumen (AS3356), GTT (AS3257) | Primary IP transit path; Bulgarian routing consistent with IP geolocation data for DEDBROPRO addresses. Belcloud is a mid-tier Eastern European transit provider with connections to major Tier-1 carriers. EU jurisdiction creates potential de-peering leverage. |
AS20764 |
CJSC RASCOM | Russia (RU) | Russian ISP / transit provider | Cogent (AS174), Level3/Lumen (AS3356), Beeline/VimpelCom (AS3216), MTS (AS8359), TTK (AS20485), Rostelecom (AS12389) | Russian upstream path for AS203834. RASCOM is a legitimate Russian commercial ISP; its presence as a DEDBROPRO upstream is notable in that it routes DEDBROPRO through Russian network infrastructure despite the Estonian entity registration. RASCOM provides global connectivity to many clients and its routing of DEDBROPRO does not by itself indicate state coordination. See Section 07 for nexus assessment. |
No documented de-peering events against AS203834 were identified in this research pass. No BGP community posts, network operator mailing list (NANOG, RIPE NCC) discussions, or news reports citing upstream action against DEDBROPRO were found. This may reflect the provider's relatively low profile relative to larger BPH operations, or insufficient time depth given the AS was created in 2022. Absence of documented de-peering is explicitly noted here per schema requirements; it should not be interpreted as evidence that no complaints have been filed with Belcloud or RASCOM.
Resilience Techniques
DEDBROPRO's resilience posture, as evidenced by the available data, relies primarily on: (1) DDoS mitigation (500 Gbps claimed, likely via upstream scrubbing or a commercial DDoS protection service); (2) moderately persistent IP allocations (SectopRAT and Remcos C2 endpoints documented over multiple months rather than hours, suggesting slow-burn resilience rather than fast-flux techniques); and (3) a consolidated ASN and addressing structure that allows the operator to re-provision customer services within the same IP space when individual IPs are burned. No fast-flux DNS, domain generation algorithms, or Tor-based resilience mechanisms are documented for the DEDBROPRO platform itself, though individual criminal clients may use such techniques independently. [2][3][7][8]
Hosted Activity Types
| Activity Type | Documented Indicator | Source | Confidence |
|---|---|---|---|
| SectopRAT (ArechClient) C2 | 195.82.147.132:15747 — ThreatFox IOC #1520971, tagged botnet_cc, confidence HIGH, first seen 2025-05-13, AS203834 | abuse.ch ThreatFox [8][7][1] | Confirmed |
| Remcos RAT C2 | 195.82.147.97:443 — ThreatFox tag DEDBROPRO-AS, Remcos, tagged "unverified"; disclosed by @drb_ra on X, May 2025; Bulgaria geolocation | abuse.ch ThreatFox [7]; @drb_ra [6] | Credible Note: Unverified tag in ThreatFox |
| Generic malware distribution | 195.82.146.34 — URLhaus host, serving URLs https://195.82.146.34/888.exe and https://195.82.146.34/AMA.exe; first seen 2025-03-18 | abuse.ch URLhaus [9] | Confirmed (family not attributed in available data) |
| Network scanning and brute force | Operator-stated policy: "Scan, brute force and other projects are allowed on the servers upon agreement" | Carder.su advertisement [2] | Analyst Inference (policy implies hosting; no specific scanning source IPs documented) |
Blocklist Standing
| Blocklist | Status | Detail |
|---|---|---|
| ThreatFox (abuse.ch) | Listed | 307 IOCs on AS203834 ASN report (all IOCs with IPs hosted on this AS); 23 tagged sightings under DEDBROPRO-AS tag; first seen 2024-10-16, last seen 2025-05-30. Malware families: SectopRAT, Remcos. [1][7] |
| URLhaus (abuse.ch) | Listed | Host 195.82.146.34 documented serving malware URLs; first seen 2025-03-18. [9] |
| Spamhaus SBL / CBL / XBL / PBL | Unknown | Operator explicitly states "We do not hold Spamhaus. In case of receiving SBL, the service will be suspended" — indicating awareness of SBL exposure risk and a policy of selective ejection of SBL-triggering clients. Per-prefix SBL/CBL/XBL/PBL listing status was not confirmed via direct dataset query in this pass. This is an open item. [2] |
| Spamhaus DROP / EDROP | Unknown | AS203834 does not appear on the Spamhaus Don't Route or Peer (DROP) ASN list in available data; however, DROP inclusion is not routinely confirmed without direct query. No DROP listing found in this pass. |
| FireHOL Level 1 / Level 2 | Unknown / Probable | No direct FireHOL reference to AS203834 found in this pass. Given the abuse.ch telemetry volume and nature, inclusion in FireHOL level 2 or higher is probable but unconfirmed. |
| Feodo Tracker (abuse.ch) | Not Confirmed | No Feodo Tracker entries (banking trojans / botnets: Emotet, QakBot, IcedID, TrickBot, Dridex) specifically linked to AS203834 were found in this pass. The documented RAT families (SectopRAT, Remcos) are tracked via ThreatFox rather than Feodo Tracker. |
| MalwareBazaar (abuse.ch) | Not Confirmed | No MalwareBazaar samples explicitly linked to DEDBROPRO-AS were found in this pass. The generic PE executables served from 195.82.146.34 (888.exe, AMA.exe) may be indexed but family and MalwareBazaar status were not confirmed. |
Known Weaknesses and Single Points of Failure
- Narrow address space: Single /24 allocation (195.82.146.0/24, confirmed) with documented adjacent activity in 195.82.147.x. Null-routing or de-peering this block by either upstream (Belcloud or RASCOM) would effectively terminate the provider's connectivity. [11]
- Single ASN: All operations run through one AS (AS203834). No backup ASN identified. Compared to mature BPH operators who maintain multiple ASNs and routing diversity, this represents a significant operational single point of failure.
- EU-registered entity: Vault Dweller OU is a legal entity in Estonia (EU), making it subject to Estonian company law, potential court orders, and EU regulatory action including Estonian CERT (CERT-EE) referrals to upstream providers. [13]
- Belcloud upstream (EU jurisdiction): AS44901 (Belcloud) is a Bulgarian provider operating within EU law. Documented abuse of AS203834 could support a formal de-peering request to Belcloud via CERT-EE, CERT-BG, or relevant EU coordination mechanisms.
- ISPmanager billing panel exposed: cp.dedbro.pro is a publicly accessible billing panel. Its existence and platform (ISPmanager/billmgr) are documented; legal or investigative access to this system would expose customer records, payment data, and provisioned server inventory.
- Known abuse contact: abuse@dedbro.pro is documented in RIPE records. Coordinated abuse reporting campaigns targeting this address, combined with upstream provider complaints, represent a low-cost disruption vector.
Financial Infrastructure
Payment Methods
DEDBROPRO explicitly accepts "bitcoin and other cryptocurrencies" per the Carder.su advertisement. No fiat payment methods (credit card, bank transfer), legacy e-money services (WebMoney, QIWI, Payeer), or mainstream payment processors are mentioned in available advertising or on the commercial website. The exclusive use of cryptocurrency is standard for BPH operations targeting criminal clientele, as it reduces KYC exposure for both provider and client and makes payment tracing more complex. [2]
The billing platform at cp.dedbro.pro (ISPmanager/billmgr) confirms automated invoicing infrastructure; the payment integration within billmgr for cryptocurrency typically uses third-party payment gateways (common examples include CoinPayments or NOW Payments in the CIS BPH space). No specific payment gateway has been identified for DEDBROPRO. [3]
Wallet Clusters and On-Chain Analysis
No publicly documented Bitcoin or cryptocurrency wallet addresses are specifically linked to DEDBROPRO, dedbro.pro, Vault Dweller OU, or the handle "DedBro" in available open sources. No publications from TRM Labs, Chainalysis, Elliptic, or Crystal Blockchain addressing DEDBROPRO on-chain activity were identified in this research pass.
Analyst Inference Typical BPH acquisition-layering-extraction patterns would suggest: direct BTC receipt from criminal clients to a provider-controlled address cluster (acquisition); movement through one or more hops using peer-to-peer exchanges, mixing services, or chain-hopping (layering); and conversion to fiat via OTC brokers or regulated exchange with lax controls (extraction). This pattern is speculative and not supported by direct evidence for DEDBROPRO specifically.
Sanctions and Risk Ratings
No sanctions designations have been imposed against DEDBROPRO, Vault Dweller OU, or the "DedBro" handle by any of the following as of June 2026: OFAC (U.S. Treasury SDN List), EU Official Journal (EU Consolidated Sanctions List), UK FCDO (UK Consolidated List), or any other national sanctions authority reviewed in this pass. The provider is de-facto high-risk for any counterparty (based on documented malware hosting and explicit criminal marketing) but is de-jure undesignated. No high-risk VASP classifications from FATF-aligned bodies or national financial intelligence units were identified. Financial risk is inferred from operational evidence; formal designation does not exist.
Client Profile and Hosted Operations
Crimeware Verticals by Evidence Tier
| Vertical | Evidence | Confidence |
|---|---|---|
| RAT / Botnet C2 (SectopRAT) | 195.82.147.132:15747 flagged botnet_cc, SectopRAT, high confidence, ThreatFox IOC #1520971, first seen 2025-05-13 | Confirmed |
| RAT / Botnet C2 (Remcos) | 195.82.147.97:443, ThreatFox tag DEDBROPRO-AS with Remcos label; corroborated by @drb_ra on X (May 2025); ThreatFox status: "unverified" | Credible Unverified in ThreatFox |
| Malware Distribution (generic PE) | 195.82.146.34 serving 888.exe and AMA.exe via HTTP, URLhaus, first seen 2025-03-18. Family not attributed in available data. | Confirmed (family unknown) |
| Network scanning / brute force | Explicitly stated in operator advertising as permitted "upon agreement" | Analyst Inference (policy implies hosting; no source IPs documented) |
| Ransomware infrastructure | No ransomware groups, affiliates, or leak sites linked to DEDBROPRO in available open sources | Not confirmed |
| Carding / fraud shops | No carding infrastructure documented on DEDBROPRO IPs in this pass despite Carder.su marketing channel | Not confirmed |
| DDoS-for-hire panels | Not documented; DDoS attacks against others are explicitly prohibited in operator terms | Not confirmed |
Client Geography and Target Profile
DEDBROPRO's CIS-exclusion policy ("Work on the CIS" is prohibited) has two practical implications: (1) it excludes victims in Russia, Ukraine, Belarus, Kazakhstan, and other CIS states, and (2) it signals the provider's likely target audience as CIS-based criminal operators who wish to avoid triggering domestic law enforcement scrutiny by harming their own constituencies. This pattern is consistent with the broader BPH norm in the CIS criminal ecosystem, where providers operating with Russian-language forums and Russian-origin operators routinely prohibit CIS-targeting to maintain a low-profile relationship with local authorities. [2]
The Carder.su advertising channel targets a Russian-language fraud and carding community. The confirmed RAT families (SectopRAT, Remcos) are general-purpose commodity RATs used across a wide range of criminal operations globally rather than being attributable to a specific nationality or criminal group.
Notable Hosted Cases
No law enforcement press releases, court documents, or major vendor case studies naming DEDBROPRO in connection with a specific criminal operation or high-profile incident have been identified in available open sources as of June 2026. Current documented evidence is limited to abuse.ch feed telemetry and a single researcher disclosure on X. This reflects the provider's relatively recent operational history and comparatively low profile relative to larger BPH operators with years of documented client activity. Intelligence Gap: No Named Client Cases
State Nexus Assessment
State Nexus Tier Assessment
DEDBROPRO is assessed at Tier 2 (Tolerated Safe Harbor): the provider operates with apparent practical impunity across multiple jurisdictions without evidence of active enforcement or takedown, which is consistent with a degree of passive official tolerance. However, there is no positive evidence of state tasking, coordination, or explicit protection, which would be required to assess Tier 3 (Probable Cooperation) or Tier 4 (Direct Control). The assessment is based on operational persistence rather than any documented state relationship.
Evidence Supporting Tolerated Safe Harbor Assessment
- AS203834 has operated with documented abuse (RAT C2, malware distribution) from at least October 2024 through May 2025 without any documented enforcement action by Estonian authorities, Bulgarian CERT, upstream providers, or RIPE NCC. [1][7][8][9]
- The dual-upstream structure (Belcloud / Bulgaria; RASCOM / Russia) routes DEDBROPRO through Russian network infrastructure despite Estonian entity registration, which is unusual and warrants monitoring. RASCOM (AS20764) is a Russian ISP serving many legitimate clients, and its provision of upstream transit to DEDBROPRO does not by itself establish state coordination.
- CIS-exclusion policy is consistent with an operator seeking to avoid triggering CIS-region law enforcement, which is a standard self-protective measure for operators of CIS origin rather than a signal of state direction.
Negative Evidence (Expected Indicators Absent)
The following indicators that would be expected if a higher-tier nexus existed are not present in available open sources:
- No documented selective protection by Russian or Estonian authorities following formal abuse complaints.
- No state-aligned APT infrastructure (e.g., GRU/SVR/FSB-attributed tooling) documented on DEDBROPRO. All observed activity is commodity crimeware (SectopRAT, Remcos), which is not characteristic of state-directed operations.
- No whistleblower reports, leaked communications, or vendor assessments asserting state coordination.
- No politically sensitive clients (e.g., hacktivism, influence operations, election interference infrastructure) identified on DEDBROPRO in open sources.
- No court filings or sanctions packages that would reveal state-protection relationships.
RASCOM Upstream: Significance and Limitations
Analyst Inference The presence of RASCOM (AS20764, Russia) as one of two upstream transit providers for AS203834 is notable. RASCOM provides connectivity to Cogent, Level3, Beeline, MTS, TTK, and Rostelecom, meaning DEDBROPRO traffic routes through Russian network infrastructure on the RASCOM path. This creates a technical visibility opportunity for Russian intelligence services that would not exist for a purely EU-routed provider. However, RASCOM serves thousands of legitimate commercial clients, and routing through Russian infrastructure is common for Eastern European providers with Russian commercial relationships. This indicator alone is insufficient to elevate the state nexus assessment above Tolerated Safe Harbor. It should be documented as a monitoring flag.
Law Enforcement and Regulatory Response
Documented LE and Regulatory Actions
No law enforcement arrests, indictments, criminal charges, civil actions, infrastructure seizures, domain takedowns, or sanctions designations specifically targeting DEDBROPRO, dedbro.pro, Vault Dweller OU, AS203834, or the "DedBro" handle have been documented in open sources as of June 2026. The provider appears to be fully operational across all documented channels (website, billing panel, Telegram, criminal forum advertising) with no disruption indicators observed. Gap: No LE Actions Documented
Post-Disruption Client Migration
Not applicable as of June 2026 — no disruption events have occurred.
Regulatory Leverage Points
Analyst Inference The following regulatory and network-level leverage points are available to investigators or network defenders, in approximate order of accessibility:
- RIPE NCC abuse process: Vault Dweller OU holds LIR status under RIPE. Documented and repeated abuse without response to abuse@dedbro.pro could support a RIPE member-conduct complaint, though RIPE does not directly revoke allocations for abuse.
- Estonian company law / CERT-EE: Vault Dweller OU is an Estonian company subject to Estonian law. CERT-EE referral of abuse complaints to Estonian police and the Estonian Data Protection Authority represents a legitimate pathway. Estonian membership in EUROPOL and EU law enforcement cooperation frameworks may enable international case coordination.
- Belcloud (AS44901) de-peering: A coordinated campaign of abuse reports from national CERTs (CERT-EE, CERT-BG) and major security vendors directed at Belcloud could support a de-peering request under Belcloud's acceptable use policy. Loss of Belcloud as upstream would force DEDBROPRO to route exclusively via RASCOM, degrading connectivity quality and increasing its dependency on Russian infrastructure.
- OFAC sanctions designation: If sufficient financial flow evidence (wallet addresses, transaction clusters) linking DEDBROPRO to U.S.-nexus crimes is developed, an OFAC SDN designation of Vault Dweller OU is possible under existing cybercrime-related Executive Orders.
Connected Groups and Ecosystem Relationships
The following connected entity assessments apply two independent confidence tiers per the schema requirement. Every claim includes both Tier 1 (infrastructure relationship: did this BPH host their infrastructure?) and Tier 2 (operational relationship: did the BPH operator know the client identity or coordinate operationally?) assessed independently.
Entities with No Formal Assessment
The following security vendors and organizations have not published formal assessments of DEDBROPRO as of June 2026: Recorded Future, Mandiant (Google), CrowdStrike, Secureworks, Proofpoint, Microsoft MSTIC, Palo Alto Unit 42, Cisco Talos, Trend Micro, ESET, Kaspersky (public reporting), F-Secure/WithSecure, Group-IB, Team Cymru, SilentPush, DomainTools. This reflects the provider's relatively recent and lower-profile operational footprint compared to larger BPH operators that have attracted formal research attention.
Trajectory Assessment
Infrastructure Churn
Infrastructure churn for DEDBROPRO is assessed as LOW relative to more mature BPH operators. AS203834 has maintained a stable AS-name and single /24 allocation since creation in 2022 without documented rebranding, prefix changes, or upstream provider shifts. C2 infrastructure documented in the 195.82.147.x space showed persistence over months (ThreatFox first sighting 2024-10-16, last 2025-05-30) rather than days, indicating that clients are not being rapidly ejected or forced to rotate infrastructure. The Carder.su advertisement as of March 2026 uses identical contact details (Telegram, Jabber, website) as documented in earlier periods, confirming channel stability. [1][2][7]
Market Position
DEDBROPRO occupies the entry-level to mid-tier BPH market segment. Pricing ($5 VPS entry point, $149 dedicated server entry) is competitive with other smaller CIS-affiliated BPH providers but well below the scale of established large-capacity BPH operators (e.g., Media Land LLC, PROSPERO/Bearhost) with multi-ASN infrastructures and thousands of IPs. The addition of a 10 Gbps dedicated tier ($300+/month) since the Carder.su advertisement suggests incremental product expansion. The use of Carder.su — a well-established Russian-language carding forum — as the primary criminal advertising venue gives DEDBROPRO access to a large, established criminal audience without requiring invitation-only forum presence. [2][3]
Disruption History
No disruption events documented as of June 2026. The provider has not been subjected to LE-driven infrastructure seizures, upstream provider de-peering, domain takedowns, or sanctions designations. This is the baseline trajectory condition for an active, undisrupted provider.
Trajectory Direction
DEDBROPRO is assessed as an active and incrementally expanding provider. Key indicators: sustained criminal forum advertising (Carder.su, March 2026); confirmed live website and billing platform (June 2026 web fetch); documented abuse telemetry from late 2024 through mid-2025; product line expansion (10 Gbps tier added to website). The provider has not been disrupted and shows no operational degradation signals. Absent intervention, the trajectory is continued operation with possible growth in client base as criminal awareness of the service increases through forum advertising.
Mandatory Intelligence Gaps
No real name, additional handles, date of birth, nationality, or confirmed location identified. The handle "DedBro" and entity "Vault Dweller OU" are the only attributable identifiers. This is the most significant gap for any legal or sanctions action.
Only 195.82.146.0/24 is confirmed as a RIPE allocation. C2 activity in 195.82.147.x suggests possible additional ranges; the full address space controlled by AS203834 was not independently enumerated in this pass.
Operator claims "we do not hold Spamhaus" but per-prefix listing status was not confirmed via direct Spamhaus dataset query. Current SBL standing for 195.82.146.0/24 is unknown.
No documented de-peering events identified. Whether Belcloud or RASCOM have received and acted on abuse complaints regarding AS203834 is unknown.
No Bitcoin or cryptocurrency wallet addresses publicly linked to DEDBROPRO. No on-chain analysis from TRM Labs, Chainalysis, Elliptic, or Crystal. Financial flow cannot be traced without this data.
No named resellers or affiliates identified. The provider appears to sell directly to end criminal clients. Whether wholesale or white-label arrangements exist with other BPH or hosting entities is unknown.
No specific colocation facilities or data center names in Bulgaria or elsewhere confirmed. Physical infrastructure location beyond IP geolocation is an open gap.
Current documented clients limited to SectopRAT operators, possible Remcos operators, and an unattributed malware distributor. Whether ransomware affiliates, carding operations, or other verticals are present on DEDBROPRO infrastructure is not confirmed.
Recent Reporting
Source Integrity Notes
The underlying research cited the Spamhaus article "Bulletproof hosting – there's a new kid in town" (December 2019) as a source for DEDBROPRO. Follow-on research confirms this article is NOT about DEDBROPRO. The article describes a 2019 BPH operation that rented VPS from legitimate Russian hosting providers (simplecloud.ru, reg.ru, etc.) and used reverse-proxy chains, with DNSpod for DNS. This operation is entirely distinct from DEDBROPRO's model (owned ASN, direct dedicated server and VPS sales). The 2019 article does not mention DEDBROPRO, dedbro.pro, AS203834, or Vault Dweller OU. It is cited here for context but should not be attributed to DEDBROPRO as a source.
One source in the underlying research cited "AS47105 dedbropro" in connection with IP 195.82.146.34. Follow-on BGP verification confirms 195.82.146.0/24 is allocated to AS203834 (Vault Dweller OU), not AS47105. AS47105 is a distinct ASN. The discrepancy reflects stale or inaccurate ASN lookup data in the upstream source. AS203834 is the sole confirmed autonomous system for DEDBROPRO.
Open-Source Researcher Disclosure
The most specific recent open-source reporting on DEDBROPRO beyond abuse.ch feeds is a May 2025 X post by researcher @drb_ra disclosing Remcos C2 infrastructure on DEDBROPRO-AS at 195.82.147.97:443. This is a single-source disclosure tagged as unverified in ThreatFox. No major security vendor has published a formal technical report or blog post on DEDBROPRO as of June 2026. The provider remains below the attention threshold of mainstream threat intelligence publication cycles. [6]