Police
Image: Pixabay via Pexels

Takedown of Lolek bulletproof hosting service includes arrests, NetWalker indictment

Editor's note: Updated 2:55 p.m. EST with U.S. announcement.

European authorities said Friday they arrested five people in Poland as part of an operation that dismantled a web hosting service used for cybercrime activities, and U.S. prosecutors issued a related indictment in the NetWalker ransomware case.

Law enforcement agencies seized the servers of LolekHosted.net on Aug. 8, according to Europol, following “a complex investigation” that also involved the FBI, the Internal Revenue Service (IRS) and Polish agencies.

Separately, U.S. prosecutors announced an indictment in Florida of Polish national Artur Karol Grabowski, 36, for allegedly operating Lolek. The hosting service was responsible for attacks by the NetWalker ransomware, which has affected hundreds of targets around the world, the announcement said. At least 50 of those incidents used Lolek in some way, prosecutors said.

Europol and Polish investigators did not release the identities of the suspects detained in Poland.

Grabowski “remains a fugitive,” according to the U.S. announcement.

The IRS had confirmed to Recorded Future News earlier this week that a seizure notice on LolekHosted.net was real, but declined to offer further details at the time.

LolekHosted.net was a bulletproof hosting service — an operation that promises to protect the identities of its customers. Given the freedom such services offer, they are popular with cybercriminal organizations.

“The suspects marketed privacy as a key feature of this service, using slogans such as ‘You can host anything here!’ and ‘no-log policy.’ Payments were to be made in cryptocurrencies,” Europol said.

Clients used Lolek servers “as intermediaries when gaining unauthorized access to victim networks, and to store hacking tools and data stolen from victims,” the U.S. indictment said.

The website also facilitated the distribution of “information-stealing malware, and also the launching of DDoS (distributed denial of service) attacks, fictitious online shops, Botnet server management and distribution of spam messages worldwide,” Europol said.

Grabowski faces up to 45 years in prison on charges of computer fraud conspiracy, wire fraud conspiracy and international money laundering. The U.S. is also seeking forfeiture of $21.5 million. He originally registered the LolekHosted.net domain in 2014.

“Grabowski allegedly facilitated the criminal activities of LolekHosted clients by allowing clients to register accounts using false information, not maintaining Internet Protocol (IP) address logs of client servers, frequently changing the IP addresses of client servers, ignoring abuse complaints made by third parties against clients, and notifying clients of legal inquiries received from law enforcement,” prosecutors said.

Overall, NetWalker ransomware is responsible for more than 5,000 bitcoin (currently worth about $146.6 million) in extortion payments, prosecutors said, noting that the cybercriminals behind it targeted “municipalities, hospitals, law enforcement and emergency services, school districts, colleges, and universities.”

A Canadian affiliate of the NetWalker operation was sentenced to 20 years in U.S. prison in Canada in late 2022.

The Polish organizations supporting the investigation were the Regional Prosecutor's Office in Katowice and the Central Bureau for Combating Cybercrime in Krakow.

The seizure notice also said the operation had assistance from the U.S. Attorney’s Office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

Daryna Antoniuk and Jonathan Greig contributed to this story.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Joe Warminsky

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.