One of the most controversial stories of the European internet, told without nostalgia: what it was, why it was a risk, and what it means to build its exact opposite today.
A critical archive, not a celebratory one. The content distinguishes established facts, allegations and context, is drawn from public sources and is under legal review. Names and convictions should be verified against official records.
CyberBunker was born in the mid-1990s when Herman-Johan Xennt bought a former Cold War bunker in the Netherlands (Zeeland) to house servers. The idea: hosting that was "proof against everything", with an imagery of autonomy and fortress. The associated company, CB3ROB Data Services, offered hosting, dedicated servers, colocation and IP transit.
CyberBunker became known as an example of "bulletproof hosting": a provider that promised to keep sites online regardless of legal requests. Among the historical customers publicly cited were very different services; the provider was also accused of hosting spammers and malicious infrastructure. An incident at a Dutch facility led to complications with the authorities.
CyberBunker came under the global spotlight for its involvement in one of the largest DDoS attacks seen up to that point, against the anti-spam organisation Spamhaus, with techniques that included BGP hijacking. The spokesperson of the time was arrested and later convicted.
Around 2013 the group bought a second bunker, a military facility at Traben-Trarbach, in Germany ("CyberBunker 2.0"). In September 2019 the police carried out a large-scale operation: according to public accounts, investigators raided the site with hundreds of officers and seized about 200 servers. Seven people were arrested.
The operators were tried in Germany. In 2021 a court convicted the main defendants for their role in providing infrastructure to a criminal organisation. Specific sentences and legal qualifications should be verified against the official trial records.
The old CyberBunker confused resilience with impunity. Republic CyberBunker keeps the two apart.
Strong infrastructure is an asset. Using it to escape the law is a legal, reputational and technical risk. They are two different things.
For a board, knowing who a provider says no to is a guarantee. Compliance reduces systemic risk, it does not increase it.
Audit logs, public policies and an abuse desk protect serious customers from the side effects of those who lack them.
Hosting that promises to stay online while ignoring legal requests and abuse reports. A model that confuses technical resilience with impunity: it is exactly what we do not offer.
Hijacking of internet routing paths (Border Gateway Protocol) to intercept or divert traffic. A technique used in some major attacks of the past.
Distributed denial-of-service attack: a target is saturated with traffic from many sources to make it unreachable.
The function that receives and handles abuse reports (spam, malware, illegal content) and triggers the prescribed actions. It is a point of accountability, not a switchboard.
The physical and legal location where data resides. It determines which law applies and who can legitimately access it.
Infrastructure whose control plane and data remain under the jurisdiction of a defined area (here: Europe), with no forced access from non-EU entities.
The story was told in the Netflix docuseries Cyberbunker: The Criminal Underworld (2023), directed by Kilian Lieb and Max Rainer. We cite it only as cultural context: it explains why this story has become topical again.
Project not affiliated with Netflix; the reference is purely cultural context. No protected material (logo, poster, stills or clips) is used on this site.
Republic CyberBunker is an independent infrastructure, editorial and educational project promoted by Swiss Innovation Hub. It does not offer anonymous or non-compliant hosting, does not support illegal activity, and is not affiliated with the historical operators of CyberBunker or with Netflix.
The archive is the starting point, not the product. The product is strong, legal and governed infrastructure. Let's discuss it.
