EDP / BPH Providers / DEDBROPRO
DEDBROPRO
Estonian-registered bulletproof hosting provider // AS203834 (dedbropro-as) // Vault Dweller OU // Active from at least 2024
Active

Executive Summary and Provider Overview

Active
Operational Status
AS203834
Primary ASN
195.82.146.0/24
IPv4 Prefix
2022-07-19
AS Created
307
ThreatFox IOCs (ASN)
2+
Malware Families (Confirmed)
None
Sanctions / LE Actions
Unknown
Spamhaus SBL Status

Quick-Reference Attributes

Common NamesDEDBROPRO; DedBro; DEDBRO; dedbro.pro
Node TypeBulletproof Hosting Provider
StatusActive — AS operational; Carder.su advertising confirmed March 2026; malware hosting and C2 documented through May 2025
Entity Registration JurisdictionEstonia (EE) — Vault Dweller OU (ORG-VDO2-RIPE), Lasnamaee linnaosa, Majaka tn 26, 11412 Tallinn. Registered as an LIR (Local Internet Registry) under RIPE. [13]
Infrastructure Hosting JurisdictionBulgaria (BG) — assessed primary, per IP geolocation of documented C2 endpoints (195.82.147.x). Estonia (EE) — AS registration jurisdiction. [6][7]
Operator LocationUnknown — no named individual identified in open sources. Estonian entity registration does not confirm operator nationality or physical location.
Active PeriodAS203834 created 2022-07-19; first ThreatFox sighting 2024-10-16; first URLhaus listing 2025-03-18; Carder.su advertisement confirmed March 2026. [1][7][9][2]
Primary ASNAS203834 — dedbropro-as (Vault Dweller OU, Estonia)
IPv4 Prefix195.82.146.0/24 — single confirmed /24 allocation. C2 activity documented in adjacent 195.82.147.x space. [11][12]
Upstream TransitAS44901 — Belcloud (Bulgaria); AS20764 — CJSC RASCOM (Russia). [11][14][15]
Abuse Contact[email protected] (RIPE record); @dedbropro (Telegram); [email protected] (Jabber). [3][2]
Billing Platformcp.dedbro.pro — ISPmanager / billmgr (confirmed via direct site fetch). [3]
SanctionsNone — no OFAC, EU, or UK FCDO designations against entity, operator handle, or associated wallets as of June 2026.
ThreatFox Standing307 IOCs on AS203834 ASN report (all hosted IOCs); 23 tagged DEDBROPRO-AS sightings; first tag 2024-10-16, last tag 2025-05-30. [1][7]
Spamhaus SBL StatusUnknown — operator explicitly states "We do not hold Spamhaus" and promises service suspension if SBL is received. Per-prefix SBL/CBL/XBL status was not confirmed in this pass. [2]
Prohibited ActivitiesCIS-region targeting; email spam; DDoS attacks; child and animal sexual abuse material; terrorism. [2]
Payment MethodsBitcoin and other cryptocurrencies (explicit); no fiat, card, or legacy e-money confirmed. [2]
State Nexus TierTolerated Safe Harbor (Tier 2 of 4) — assessed, based on operational persistence without enforcement and dual transit routing through Bulgaria (EU) and Russia (RASCOM). No evidence of active state cooperation or control.

Overall Assessment

DEDBROPRO (operating as dedbro.pro, brand handle "DedBro") is a newer bulletproof hosting (BPH) entrant offering dedicated servers, NVMe VPS, and VPN services on an explicitly anonymous and abuse-tolerant basis. The provider's infrastructure is registered under the Estonian company Vault Dweller OU (AS203834, dedbropro-as), with operational address-space activity observed primarily in Bulgaria. As of June 2026, DEDBROPRO is actively advertising to criminal audiences via Carder.su and maintains a public English-language commercial website at dedbro.pro that markets services without KYC requirements and accommodates clients whose "projects might encounter issues or complaints." [2][3]

Abuse telemetry from abuse.ch's ThreatFox identifies 307 indicators of compromise hosted on AS203834 over the trailing twelve months, with confirmed SectopRAT and Remcos remote access trojan (RAT) command-and-control (C2) infrastructure in the 195.82.147.x space, and generic malware distribution (unattributed PE executables) from 195.82.146.34 documented by URLhaus beginning March 2025. Criminal forum advertising on Carder.su (March 2026) explicitly endorses use for "scan, brute force and other projects," placing this provider unambiguously in the bulletproof hosting category rather than the privacy-hosting or grey-area hosting categories. [1][7][8][9][2]

No law enforcement actions, arrests, indictments, seizures, or sanctions designations targeting DEDBROPRO, Vault Dweller OU, or identified operators have been documented as of June 2026. The provider's single /24 address block, Estonian entity registration (EU regulatory jurisdiction), and dual upstream routing through a Bulgarian transit provider and a Russian ISP (RASCOM, AS20764) represent the primary structural leverage points available to investigators and network operators seeking to degrade this provider's operational capability. [11][13][14][15]

Lineage and Organizational Heritage

Predecessor and Sibling Analysis

No public evidence links DEDBROPRO or Vault Dweller OU to prior-generation BPH brands (such as Maxided, Yalishanda, Media Land LLC, McColo, or 3FN) or to currently active BPH brand clusters (such as PROSPERO/Bearhost, Zservers, or Stark Industries). AS203834 was created on 2022-07-19, making this a relatively recent autonomous system without the multi-year lineage typical of established BPH conglomerates. The provider is assessed as a newer, independent market entrant rather than a rebrand or shell of an existing criminal infrastructure operation. Confidence: Credible (absence of evidence with moderate search depth; deeper WHOIS history and criminal forum cross-referencing could revise this). [1][11][12][13]

Note on AS47105 Reference

One source in the underlying research attributed IP 195.82.146.34 to "AS47105 dedbropro." Follow-on verification confirms that 195.82.146.0/24 is registered to AS203834 (Vault Dweller OU), not AS47105. AS47105 does not appear in BGP data as a DEDBROPRO-associated ASN. The discrepancy likely reflects stale IP intelligence data in the upstream source's ASN lookup. AS203834 is the sole confirmed autonomous system for this provider. [11][12]

Brand Continuity and Entity Structure

Entity / BrandTypeRoleActive WindowConfidence
DEDBROPRO / DedBro / dedbro.pro BPH brand; commercial website; forum advertising identity Primary consumer-facing brand; sells directly to criminal end-users via website and chat channels Website live since at least 2024 (copyright footer "© 2024 DEDBRO.RPO"); Carder.su ad March 2026 Confirmed
Vault Dweller OU Estonian LLC; RIPE LIR (Local Internet Registry) Corporate shell holding AS203834 registration; abuse contact entity; RIPE organization ORG-VDO2-RIPE AS203834 created 2022-07-19; RIPE record last updated 2025-03-13 Confirmed
AS203834 (dedbropro-as) Autonomous System Network infrastructure backbone; single /24 prefix 195.82.146.0/24; upstream via Belcloud (AS44901) and RASCOM (AS20764) Created 2022-07-19; abuse activity documented from 2024-10-16 onward Confirmed

Evidentiary Pillars

Brand-to-ASN Attribution

Confirmed The RIPE database records AS203834 with AS-name "dedbropro-as" and organization "Vault Dweller OU." ThreatFox tags abuse.ch IOCs hosted on this ASN with the label "DEDBROPRO-AS." The Carder.su forum thread links the "DedBro" advertising handle to dedbro.pro, Telegram @dedbropro, and Jabber [email protected], all consistent with the dedbro.pro commercial brand. Multiple independent sources converge on this attribution. [1][2][3][5][7]

Infrastructure-to-Abuse Telemetry Attribution

Confirmed abuse.ch ThreatFox's ASN-level tagging confirms that malware C2 IPs (195.82.147.x) detected by the security community resolve within AS203834 (dedbropro-as). URLhaus host records link IP 195.82.146.34 to malware-serving URLs. Both data sources are independent of the Carder.su and dedbro.pro commercial evidence and reinforce the same infrastructure attribution. [1][7][8][9]

Operator Profiles

No named individual, sanctioned person, or indicted defendant has been publicly linked to DEDBROPRO, dedbro.pro, or Vault Dweller OU as of June 2026. The sole operator-attributable identifier is the forum handle "DedBro" used on Carder.su. All operator information below reflects an unknown individual or individuals behind the Vault Dweller OU entity.

2.1 Handle: "DedBro"

Handle / AliasesDedBro (Carder.su advertising account); DEDBRO (capitalized brand variant); dedbropro (Telegram handle @dedbropro)
Assessed NationalityUnknown — Estonian entity registration does not imply operator nationality. Russian-language forum advertising on Carder.su is consistent with a Russian or CIS-origin operator but is not determinative. The CIS-exclusion policy (do not target CIS) is consistent with an operator seeking to minimize exposure to domestic law enforcement.
Assessed LocationUnknown — no geolocatable signals in open sources. Vault Dweller OU registered in Tallinn, Estonia; physical presence in Estonia is unconfirmed and cannot be inferred from RIPE registration alone.
Forum ActivityCarder.su advertising thread, March 2026. Advertising profile categorized as "Guest" (non-member advertiser) on Carder.su. No confirmed activity on Exploit, XSS, WWH-Club, or other major underground forums in open sources for this pass.
Current Legal StatusAt large — no public arrest, indictment, criminal charges, or sanctions designation.
Sanctions DesignationsNone.

2.2 Entity: Vault Dweller OU

Registered JurisdictionEstonia (EE) — European Union jurisdiction.
RIPE Organization IDORG-VDO2-RIPE
Registered AddressLasnamaee linnaosa, Majaka tn 26, 11412 Tallinn, Estonia
Phone (RIPE record)+37125479008
RIPE LIR StatusRegistered Local Internet Registry (LIR) — direct RIPE member organization with address space allocation rights.
AS203834 Created2022-07-19
AS203834 Last Modified2024-09-02; last updated 2025-03-13 (per RIPE/BGP data). [4][5]
Abuse Contact[email protected]
Sanctions StatusNone — Vault Dweller OU does not appear on OFAC SDN list, EU Official Journal sanctions, or UK FCDO consolidated list as of June 2026.

Disputed Assessments

No major security vendors have published assessments specific to DEDBROPRO as of June 2026. Primary attribution and infrastructure data derive from abuse.ch community feeds (ThreatFox, URLhaus), a researcher disclosure on X (@drb_ra), and direct site and forum analysis. No vendor-to-vendor disagreements exist because no vendors beyond the abuse.ch community have formally assessed this provider in the open. This is an intelligence gap rather than a dispute. Gap: No Formal Vendor Assessments

Operational and Business Model

Service Model

DEDBROPRO operates as a direct-to-criminal bulletproof hosting provider, selling compute infrastructure (dedicated servers, NVMe virtual private servers) and VPN access on an anonymous, no-KYC basis with explicit tolerance for abuse-prone use cases. The service model combines a public English-language commercial website (dedbro.pro) with direct outreach channels (Telegram @dedbropro, Jabber [email protected]) and criminal forum advertising (Carder.su). The provider's stated value proposition centers on: (1) anonymity ("We do not request KYC, phone number verification, or any other personal identification"), (2) abuse accommodation ("If your project might encounter issues or complaints, please let us know"), (3) DDoS resilience ("Free 500Gbps DDoS Protection"), and (4) round-the-clock human support. [2][3]

The Carder.su advertisement specifies tolerance for "scan, brute force and other projects upon agreement," confirming that the service model explicitly accommodates network scanning, credential brute-forcing, and unspecified additional attack infrastructure, with the euphemism "upon agreement" likely referring to advance disclosure to avoid automated abuse detection by upstream providers. [2]

Verbatim Advertising Copy

Carder.su thread "Dedbro.pro – Bulletproof Dedicated Servers, VPS, VPN" — posted by handle "DedBro," March 2026 [2]
"Friends! We are glad to offer you:"
"- Scan, brute force and other projects are allowed on the servers upon agreement;"
"- We will select solutions for your tasks;"
"- Round-the-clock support 24/7/365;"
"- We accept bitcoin and other cryptocurrencies."

"Bulletproof dedicated and virtual servers from Bro!"

"How to place an order: You can place an order on the website or directly through our contacts without registration."

"The following is prohibited on servers:
- Work on the CIS;
- E-mail spam;
- DDoS attacks;
- Hosting child and zoo topics;
- Terrorism."

"We do not hold Spamhaus. In case of receiving SBL, the service will be suspended."

"Contacts: Jabber: [email protected] / Telegram: @dedbropro / Website: dedbro.pro"
dedbro.pro English site — fetched June 2026 [3]
"Dedicated and Virtual Servers — We offer high-quality service at competitive prices for your projects."

"Loyalty — We are dedicated to our clients and always ready to accommodate and find solutions. If your project might encounter issues or complaints, please let us know."

"Anonymously — We do not request KYC, phone number verification, or any other personal identification. Your privacy is our priority."

"24/7/365 Support — Our managers and IT specialists are available to assist with any question at any time."

"Contact us: @dedbropro / [email protected]"
"Abuse report / © 2024 DEDBRO.RPO"

Pricing and Service Tiers

ProductEntry PriceSpecificationsDDoS ProtectionSetup Time
Dedicated Servers $149 / month 1 Gbps shared bandwidth; software RAID; virtual KVM console; OS of choice. Example configs: Xeon E3-1241v3 (8x3.90GHz, 8GB RAM, 120GB SSD) to 2x Xeon Platinum 8268 (96x3.90GHz, 512GB RAM, 2TB SSD) Free 500 Gbps 2 hours
10 Gbps Dedicated $300 / month Dedicated 10 Gbps channel; VLAN included; iLo / IPMI / KVM on request; any OS. Note: this tier appears on the commercial website but was not included in the March 2026 Carder.su advertisement, suggesting it was added or promoted separately. Not specified From 6 hours
NVMe VPS $5 / month (Starter) to $80 / month (Pro) KVM virtualization; 100 Mbps bandwidth; backups on request. Tiers: Starter (1 vCPU / 512MB / 10GB SSD), Micro ($15), Basic ($25 / 2 vCPU / 2GB / 30GB), Standard ($45 / 4 vCPU / 4GB / 50GB), Pro ($80 / 8 vCPU / 8GB / 100GB), Custom from $15. Free 500 Gbps 1 minute
VPN $5 / month Protocols: OpenVPN, Shadowsocks, L2TP/IPsec, TOR VPN. Protocol of customer choice. Not specified 1 minute
Custom Solutions Price on request "We will select a solution for your project and specific task." Suggests willingness to accommodate bespoke criminal infrastructure requirements. Varies Varies

Discounts are offered for ordering three or more services or for prepayment of three months or more. [3]

Onboarding and Client Acquisition

Onboarding is explicitly low-friction: customers may place orders via the commercial website (cp.dedbro.pro running ISPmanager/billmgr) or "directly through our contacts without registration." The no-KYC and no-phone-verification policy is stated twice across the commercial site and the forum advertisement. Contact channels include the Telegram handle @dedbropro (public, indexed) and Jabber XMPP ([email protected]), the latter providing encrypted messaging for operationally sensitive discussions. This structure mirrors standard BPH onboarding patterns: a public commercial face for discovery, chat-based sales for friction-free provisioning of abuse-tolerant resources. [2][3]

Abuse Handling and LE Posture

DEDBROPRO's stated abuse posture contains an internal tension that is common to BPH operators seeking to maintain partial legitimacy:

The practical posture, as evidenced by 307 ThreatFox IOCs and sustained malware C2 and distribution hosting from late 2024 through at least May 2025, is abuse-tolerant with selective (and probably rare) enforcement when Spamhaus SBL pressure would threaten the provider's ability to maintain upstream peering relationships. [1][2][3][7]

OPSEC

Operator-level OPSEC indicators: anonymous advertising via forum "Guest" account on Carder.su; Jabber/XMPP contact (encrypted, no phone-linked identity); Telegram (pseudonymous). No Russian-language linguistic slippage visible in available advertising copy. The CIS-exclusion policy functions as a LE-risk management mechanism, reducing the probability of Russian-language victim complaints that could draw domestic attention. Estonian RIPE registration as an LIR adds a layer of apparent legitimacy (recognized regional registry member) while placing the entity in EU jurisdiction where direct law enforcement requests could theoretically be served. [2][3][13]

Technical Capabilities and Infrastructure Footprint

ASN Registration

FieldValueSource
AS NumberAS203834[11][12]
AS Namededbropro-as[1][5]
OrganizationVault Dweller OU (ORG-VDO2-RIPE)[5][13]
Country (Registration)Estonia (EE)[1][4][5]
Registered AddressLasnamaee linnaosa, Majaka tn 26, 11412 Tallinn, Estonia[13]
Phone (RIPE)+37125479008[13]
Abuse Contact[email protected][5]
RIPE LIRYes — Vault Dweller OU is a RIPE member LIR with direct allocation rights[13]
AS Created2022-07-19[4][5]
AS Last Modified2024-09-02[4][5]
RIPE Record Last Updated2025-03-13[4][5]

IP Ranges and Geolocation

PrefixAllocationGeolocated CountryDocumented UseConfidence
195.82.146.0/24 Confirmed RIPE allocation to AS203834 / Vault Dweller OU Bulgaria (BG) — per IP intelligence sources; Estonian AS registration Malware distribution hosting (195.82.146.34 serving 888.exe, AMA.exe per URLhaus) Confirmed
195.82.147.x Adjacent range; appears in ThreatFox IOC data. Full allocation status of /24 not independently confirmed in this pass — may be part of a larger DEDBROPRO block or a neighboring allocation. Bulgaria (BG) — per geolocation of 195.82.147.97 in open source data SectopRAT C2 (195.82.147.132:15747); Remcos C2 unverified (195.82.147.97:443) Credible (ThreatFox tags as DEDBROPRO-AS; full allocation status not independently confirmed)

Data Center Footprint

DEDBROPRO's marketing claims "high-quality equipment located in the world's leading data centers" and offers hardware configurations consistent with a dedicated server reseller or colo customer rather than a facility owner. IP geolocation data (Bulgarian geolocations for C2 IPs) is consistent with the Belcloud (AS44901) upstream peering, which is a Bulgarian transit provider. No specific facility names or addresses in Bulgaria or Estonia are documented in open sources. Given the single /24 address block and startup-scale pricing structure, DEDBROPRO almost certainly leases rack space or individual server units from one or more wholesale providers rather than owning physical data center infrastructure. [3][6][11]

Upstream Transit Provider Chain

AS203834 (dedbropro-as) peers with two upstream transit providers, confirmed via BGP data: [11][14][15]

ASNNameCountryTierNotable UpstreamsSignificance
AS44901 Belcloud Bulgaria (BG) — EU Regional transit / IP transit provider Seabone (AS6762), Hurricane Electric (AS6939), Telefonica (AS12956), Level3/Lumen (AS3356), GTT (AS3257) Primary IP transit path; Bulgarian routing consistent with IP geolocation data for DEDBROPRO addresses. Belcloud is a mid-tier Eastern European transit provider with connections to major Tier-1 carriers. EU jurisdiction creates potential de-peering leverage.
AS20764 CJSC RASCOM Russia (RU) Russian ISP / transit provider Cogent (AS174), Level3/Lumen (AS3356), Beeline/VimpelCom (AS3216), MTS (AS8359), TTK (AS20485), Rostelecom (AS12389) Russian upstream path for AS203834. RASCOM is a legitimate Russian commercial ISP; its presence as a DEDBROPRO upstream is notable in that it routes DEDBROPRO through Russian network infrastructure despite the Estonian entity registration. RASCOM provides global connectivity to many clients and its routing of DEDBROPRO does not by itself indicate state coordination. See Section 07 for nexus assessment.
Upstream De-peering History

No documented de-peering events against AS203834 were identified in this research pass. No BGP community posts, network operator mailing list (NANOG, RIPE NCC) discussions, or news reports citing upstream action against DEDBROPRO were found. This may reflect the provider's relatively low profile relative to larger BPH operations, or insufficient time depth given the AS was created in 2022. Absence of documented de-peering is explicitly noted here per schema requirements; it should not be interpreted as evidence that no complaints have been filed with Belcloud or RASCOM.

Resilience Techniques

DEDBROPRO's resilience posture, as evidenced by the available data, relies primarily on: (1) DDoS mitigation (500 Gbps claimed, likely via upstream scrubbing or a commercial DDoS protection service); (2) moderately persistent IP allocations (SectopRAT and Remcos C2 endpoints documented over multiple months rather than hours, suggesting slow-burn resilience rather than fast-flux techniques); and (3) a consolidated ASN and addressing structure that allows the operator to re-provision customer services within the same IP space when individual IPs are burned. No fast-flux DNS, domain generation algorithms, or Tor-based resilience mechanisms are documented for the DEDBROPRO platform itself, though individual criminal clients may use such techniques independently. [2][3][7][8]

Hosted Activity Types

Activity TypeDocumented IndicatorSourceConfidence
SectopRAT (ArechClient) C2 195.82.147.132:15747 — ThreatFox IOC #1520971, tagged botnet_cc, confidence HIGH, first seen 2025-05-13, AS203834 abuse.ch ThreatFox [8][7][1] Confirmed
Remcos RAT C2 195.82.147.97:443 — ThreatFox tag DEDBROPRO-AS, Remcos, tagged "unverified"; disclosed by @drb_ra on X, May 2025; Bulgaria geolocation abuse.ch ThreatFox [7]; @drb_ra [6] Credible Note: Unverified tag in ThreatFox
Generic malware distribution 195.82.146.34 — URLhaus host, serving URLs https://195.82.146.34/888.exe and https://195.82.146.34/AMA.exe; first seen 2025-03-18 abuse.ch URLhaus [9] Confirmed (family not attributed in available data)
Network scanning and brute force Operator-stated policy: "Scan, brute force and other projects are allowed on the servers upon agreement" Carder.su advertisement [2] Analyst Inference (policy implies hosting; no specific scanning source IPs documented)

Blocklist Standing

BlocklistStatusDetail
ThreatFox (abuse.ch) Listed 307 IOCs on AS203834 ASN report (all IOCs with IPs hosted on this AS); 23 tagged sightings under DEDBROPRO-AS tag; first seen 2024-10-16, last seen 2025-05-30. Malware families: SectopRAT, Remcos. [1][7]
URLhaus (abuse.ch) Listed Host 195.82.146.34 documented serving malware URLs; first seen 2025-03-18. [9]
Spamhaus SBL / CBL / XBL / PBL Unknown Operator explicitly states "We do not hold Spamhaus. In case of receiving SBL, the service will be suspended" — indicating awareness of SBL exposure risk and a policy of selective ejection of SBL-triggering clients. Per-prefix SBL/CBL/XBL/PBL listing status was not confirmed via direct dataset query in this pass. This is an open item. [2]
Spamhaus DROP / EDROP Unknown AS203834 does not appear on the Spamhaus Don't Route or Peer (DROP) ASN list in available data; however, DROP inclusion is not routinely confirmed without direct query. No DROP listing found in this pass.
FireHOL Level 1 / Level 2 Unknown / Probable No direct FireHOL reference to AS203834 found in this pass. Given the abuse.ch telemetry volume and nature, inclusion in FireHOL level 2 or higher is probable but unconfirmed.
Feodo Tracker (abuse.ch) Not Confirmed No Feodo Tracker entries (banking trojans / botnets: Emotet, QakBot, IcedID, TrickBot, Dridex) specifically linked to AS203834 were found in this pass. The documented RAT families (SectopRAT, Remcos) are tracked via ThreatFox rather than Feodo Tracker.
MalwareBazaar (abuse.ch) Not Confirmed No MalwareBazaar samples explicitly linked to DEDBROPRO-AS were found in this pass. The generic PE executables served from 195.82.146.34 (888.exe, AMA.exe) may be indexed but family and MalwareBazaar status were not confirmed.

Known Weaknesses and Single Points of Failure

Financial Infrastructure

Payment Methods

DEDBROPRO explicitly accepts "bitcoin and other cryptocurrencies" per the Carder.su advertisement. No fiat payment methods (credit card, bank transfer), legacy e-money services (WebMoney, QIWI, Payeer), or mainstream payment processors are mentioned in available advertising or on the commercial website. The exclusive use of cryptocurrency is standard for BPH operations targeting criminal clientele, as it reduces KYC exposure for both provider and client and makes payment tracing more complex. [2]

The billing platform at cp.dedbro.pro (ISPmanager/billmgr) confirms automated invoicing infrastructure; the payment integration within billmgr for cryptocurrency typically uses third-party payment gateways (common examples include CoinPayments or NOW Payments in the CIS BPH space). No specific payment gateway has been identified for DEDBROPRO. [3]

Wallet Clusters and On-Chain Analysis

No publicly documented Bitcoin or cryptocurrency wallet addresses are specifically linked to DEDBROPRO, dedbro.pro, Vault Dweller OU, or the handle "DedBro" in available open sources. No publications from TRM Labs, Chainalysis, Elliptic, or Crystal Blockchain addressing DEDBROPRO on-chain activity were identified in this research pass.

Analyst Inference Typical BPH acquisition-layering-extraction patterns would suggest: direct BTC receipt from criminal clients to a provider-controlled address cluster (acquisition); movement through one or more hops using peer-to-peer exchanges, mixing services, or chain-hopping (layering); and conversion to fiat via OTC brokers or regulated exchange with lax controls (extraction). This pattern is speculative and not supported by direct evidence for DEDBROPRO specifically.

Sanctions and Risk Ratings

No sanctions designations have been imposed against DEDBROPRO, Vault Dweller OU, or the "DedBro" handle by any of the following as of June 2026: OFAC (U.S. Treasury SDN List), EU Official Journal (EU Consolidated Sanctions List), UK FCDO (UK Consolidated List), or any other national sanctions authority reviewed in this pass. The provider is de-facto high-risk for any counterparty (based on documented malware hosting and explicit criminal marketing) but is de-jure undesignated. No high-risk VASP classifications from FATF-aligned bodies or national financial intelligence units were identified. Financial risk is inferred from operational evidence; formal designation does not exist.

Client Profile and Hosted Operations

Crimeware Verticals by Evidence Tier

VerticalEvidenceConfidence
RAT / Botnet C2 (SectopRAT) 195.82.147.132:15747 flagged botnet_cc, SectopRAT, high confidence, ThreatFox IOC #1520971, first seen 2025-05-13 Confirmed
RAT / Botnet C2 (Remcos) 195.82.147.97:443, ThreatFox tag DEDBROPRO-AS with Remcos label; corroborated by @drb_ra on X (May 2025); ThreatFox status: "unverified" Credible Unverified in ThreatFox
Malware Distribution (generic PE) 195.82.146.34 serving 888.exe and AMA.exe via HTTP, URLhaus, first seen 2025-03-18. Family not attributed in available data. Confirmed (family unknown)
Network scanning / brute force Explicitly stated in operator advertising as permitted "upon agreement" Analyst Inference (policy implies hosting; no source IPs documented)
Ransomware infrastructure No ransomware groups, affiliates, or leak sites linked to DEDBROPRO in available open sources Not confirmed
Carding / fraud shops No carding infrastructure documented on DEDBROPRO IPs in this pass despite Carder.su marketing channel Not confirmed
DDoS-for-hire panels Not documented; DDoS attacks against others are explicitly prohibited in operator terms Not confirmed

Client Geography and Target Profile

DEDBROPRO's CIS-exclusion policy ("Work on the CIS" is prohibited) has two practical implications: (1) it excludes victims in Russia, Ukraine, Belarus, Kazakhstan, and other CIS states, and (2) it signals the provider's likely target audience as CIS-based criminal operators who wish to avoid triggering domestic law enforcement scrutiny by harming their own constituencies. This pattern is consistent with the broader BPH norm in the CIS criminal ecosystem, where providers operating with Russian-language forums and Russian-origin operators routinely prohibit CIS-targeting to maintain a low-profile relationship with local authorities. [2]

The Carder.su advertising channel targets a Russian-language fraud and carding community. The confirmed RAT families (SectopRAT, Remcos) are general-purpose commodity RATs used across a wide range of criminal operations globally rather than being attributable to a specific nationality or criminal group.

Notable Hosted Cases

No law enforcement press releases, court documents, or major vendor case studies naming DEDBROPRO in connection with a specific criminal operation or high-profile incident have been identified in available open sources as of June 2026. Current documented evidence is limited to abuse.ch feed telemetry and a single researcher disclosure on X. This reflects the provider's relatively recent operational history and comparatively low profile relative to larger BPH operators with years of documented client activity. Intelligence Gap: No Named Client Cases

State Nexus Assessment

Entity Registration Jurisdiction
Estonia (EE)
Vault Dweller OU; RIPE LIR; EU member state; subject to Estonian company law and CERT-EE oversight.
Infrastructure Hosting Jurisdiction
Bulgaria (BG) — Assessed
IP geolocation of documented C2 IPs (195.82.147.x) points to Bulgaria. Upstream Belcloud (AS44901) is a Bulgarian provider. Specific facility unconfirmed.
Assessed Operator Location
Unknown
Estonian registration does not imply physical presence. CIS-exclusion policy suggests possible CIS-origin operator. No geolocatable signals in open sources.

State Nexus Tier Assessment

Assessed Tier: Tolerated Safe Harbor (Tier 2 of 4)

DEDBROPRO is assessed at Tier 2 (Tolerated Safe Harbor): the provider operates with apparent practical impunity across multiple jurisdictions without evidence of active enforcement or takedown, which is consistent with a degree of passive official tolerance. However, there is no positive evidence of state tasking, coordination, or explicit protection, which would be required to assess Tier 3 (Probable Cooperation) or Tier 4 (Direct Control). The assessment is based on operational persistence rather than any documented state relationship.

Evidence Supporting Tolerated Safe Harbor Assessment

Negative Evidence (Expected Indicators Absent)

The following indicators that would be expected if a higher-tier nexus existed are not present in available open sources:

RASCOM Upstream: Significance and Limitations

Analyst Inference The presence of RASCOM (AS20764, Russia) as one of two upstream transit providers for AS203834 is notable. RASCOM provides connectivity to Cogent, Level3, Beeline, MTS, TTK, and Rostelecom, meaning DEDBROPRO traffic routes through Russian network infrastructure on the RASCOM path. This creates a technical visibility opportunity for Russian intelligence services that would not exist for a purely EU-routed provider. However, RASCOM serves thousands of legitimate commercial clients, and routing through Russian infrastructure is common for Eastern European providers with Russian commercial relationships. This indicator alone is insufficient to elevate the state nexus assessment above Tolerated Safe Harbor. It should be documented as a monitoring flag.

Law Enforcement and Regulatory Response

Documented LE and Regulatory Actions

No law enforcement arrests, indictments, criminal charges, civil actions, infrastructure seizures, domain takedowns, or sanctions designations specifically targeting DEDBROPRO, dedbro.pro, Vault Dweller OU, AS203834, or the "DedBro" handle have been documented in open sources as of June 2026. The provider appears to be fully operational across all documented channels (website, billing panel, Telegram, criminal forum advertising) with no disruption indicators observed. Gap: No LE Actions Documented

2022-07-19
AS203834 (dedbropro-as) registered to Vault Dweller OU in RIPE. Earliest confirmed infrastructure marker. [4][5]
2024-09-02
AS203834 RIPE record last modified. May reflect a configuration update, peering change, or organizational update. [4][5]
2024-10-16
First ThreatFox sighting tagged DEDBROPRO-AS. Earliest documented abuse telemetry for AS203834 in available open sources. [7]
2025-03-18
URLhaus records IP 195.82.146.34 serving malware payloads (888.exe, AMA.exe). First documented malware distribution from DEDBROPRO address space. [9]
2025-03-13
RIPE record for AS203834 last updated (per BGP data sources). [4]
2025-05-13
ThreatFox IOC #1520971: 195.82.147.132:15747 confirmed as SectopRAT C2 with high confidence on AS203834. [8]
2025-05 (approx.)
@drb_ra discloses Remcos C2 at 195.82.147.97:443 on DEDBROPRO-AS on X. Unverified in ThreatFox. Last DEDBROPRO-AS ThreatFox sighting: 2025-05-30. [6][7]
March 2026
Carder.su thread "Dedbro.pro – Bulletproof Dedicated Servers, VPS, VPN" posted by "DedBro" (Guest advertiser). Confirms continued active criminal marketing as of Q1 2026. [2]
June 2026
DEDBROPRO website (dedbro.pro/eng.html) and billing panel (cp.dedbro.pro) confirmed live. No LE or regulatory action documented. [3]

Post-Disruption Client Migration

Not applicable as of June 2026 — no disruption events have occurred.

Regulatory Leverage Points

Analyst Inference The following regulatory and network-level leverage points are available to investigators or network defenders, in approximate order of accessibility:

Connected Groups and Ecosystem Relationships

The following connected entity assessments apply two independent confidence tiers per the schema requirement. Every claim includes both Tier 1 (infrastructure relationship: did this BPH host their infrastructure?) and Tier 2 (operational relationship: did the BPH operator know the client identity or coordinate operationally?) assessed independently.

SectopRAT Operators (ArechClient)
Commodity RAT / infostealer; general cybercriminal clientele; no specific threat actor attribution in available data
Two-Tier Confidence Assessment
Tier 1 — Infrastructure Relationship: Confirmed
Tier 2 — Operational Relationship: Analyst Inference
ThreatFox IOC #1520971 confirms 195.82.147.132:15747 as a SectopRAT (ArechClient / 1xxbot) botnet C2 endpoint with high confidence, on AS203834 (dedbropro-as), first seen 2025-05-13. Infrastructure hosting is confirmed via an independent, high-confidence community threat intelligence source. Tier 1 is CONFIRMED. Tier 2 is ANALYST INFERENCE: there is no evidence that the DEDBROPRO operator was aware of the client's identity as a SectopRAT operator or that any coordination occurred beyond a standard anonymous commercial transaction. The provider's no-KYC onboarding policy makes Tier 2 confirmation impossible from available data.
Corroborating: abuse.ch ThreatFox Not assessed: Recorded Future, Mandiant, CrowdStrike, Secureworks, Proofpoint, Microsoft MSTIC
Remcos RAT Operators
Commodity commercial RAT; sold by BreakingSecurity (Italy); used across a wide criminal actor spectrum
Two-Tier Confidence Assessment
Tier 1 — Infrastructure Relationship: Credible
Tier 2 — Operational Relationship: Analyst Inference
IP 195.82.147.97:443 is tagged in ThreatFox under DEDBROPRO-AS with a Remcos label but carries a status of "unverified." The disclosure was corroborated by independent researcher @drb_ra on X in May 2025, who explicitly named DEDBROPRO-AS and Remcos C2. Tier 1 is assessed CREDIBLE: two independent sources (ThreatFox tag; @drb_ra researcher) link this IP to both DEDBROPRO infrastructure and Remcos C2, but the unverified ThreatFox status means this has not been fully validated by the abuse.ch community. Tier 2 is ANALYST INFERENCE for the same reasons as above: no-KYC onboarding makes operational relationship confirmation impossible. ThreatFox status: Unverified
Corroborating: abuse.ch ThreatFox (tag, unverified) Corroborating: @drb_ra (independent researcher, X/Twitter) Not assessed: Recorded Future, Mandiant, CrowdStrike, Secureworks, Proofpoint, Microsoft MSTIC
Generic Malware Distributors (Unattributed)
Unknown actor(s) serving PE executables (888.exe, AMA.exe) from DEDBROPRO address space; family unattributed
Two-Tier Confidence Assessment
Tier 1 — Infrastructure Relationship: Confirmed
Tier 2 — Operational Relationship: Analyst Inference
URLhaus host records confirm 195.82.146.34 (on AS203834 dedbropro-as) was actively serving malware download URLs (https://195.82.146.34/888.exe and https://195.82.146.34/AMA.exe) beginning 2025-03-18. The hosting of these payloads on DEDBROPRO infrastructure is confirmed. The threat actor identity and malware family are not attributed in available URLhaus data. Tier 1 is CONFIRMED. Tier 2 is ANALYST INFERENCE as above. Malware family: Not attributed in URLhaus record
Corroborating: abuse.ch URLhaus Not assessed: Major AV/EDR vendors (family identification not found in this pass)

Entities with No Formal Assessment

The following security vendors and organizations have not published formal assessments of DEDBROPRO as of June 2026: Recorded Future, Mandiant (Google), CrowdStrike, Secureworks, Proofpoint, Microsoft MSTIC, Palo Alto Unit 42, Cisco Talos, Trend Micro, ESET, Kaspersky (public reporting), F-Secure/WithSecure, Group-IB, Team Cymru, SilentPush, DomainTools. This reflects the provider's relatively recent and lower-profile operational footprint compared to larger BPH operators that have attracted formal research attention.

Trajectory Assessment

Infrastructure Churn

Infrastructure churn for DEDBROPRO is assessed as LOW relative to more mature BPH operators. AS203834 has maintained a stable AS-name and single /24 allocation since creation in 2022 without documented rebranding, prefix changes, or upstream provider shifts. C2 infrastructure documented in the 195.82.147.x space showed persistence over months (ThreatFox first sighting 2024-10-16, last 2025-05-30) rather than days, indicating that clients are not being rapidly ejected or forced to rotate infrastructure. The Carder.su advertisement as of March 2026 uses identical contact details (Telegram, Jabber, website) as documented in earlier periods, confirming channel stability. [1][2][7]

Market Position

DEDBROPRO occupies the entry-level to mid-tier BPH market segment. Pricing ($5 VPS entry point, $149 dedicated server entry) is competitive with other smaller CIS-affiliated BPH providers but well below the scale of established large-capacity BPH operators (e.g., Media Land LLC, PROSPERO/Bearhost) with multi-ASN infrastructures and thousands of IPs. The addition of a 10 Gbps dedicated tier ($300+/month) since the Carder.su advertisement suggests incremental product expansion. The use of Carder.su — a well-established Russian-language carding forum — as the primary criminal advertising venue gives DEDBROPRO access to a large, established criminal audience without requiring invitation-only forum presence. [2][3]

Disruption History

No disruption events documented as of June 2026. The provider has not been subjected to LE-driven infrastructure seizures, upstream provider de-peering, domain takedowns, or sanctions designations. This is the baseline trajectory condition for an active, undisrupted provider.

Trajectory Direction

Assessed Trajectory: Active / Expanding

DEDBROPRO is assessed as an active and incrementally expanding provider. Key indicators: sustained criminal forum advertising (Carder.su, March 2026); confirmed live website and billing platform (June 2026 web fetch); documented abuse telemetry from late 2024 through mid-2025; product line expansion (10 Gbps tier added to website). The provider has not been disrupted and shows no operational degradation signals. Absent intervention, the trajectory is continued operation with possible growth in client base as criminal awareness of the service increases through forum advertising.

Mandatory Intelligence Gaps

Operator Identity

No real name, additional handles, date of birth, nationality, or confirmed location identified. The handle "DedBro" and entity "Vault Dweller OU" are the only attributable identifiers. This is the most significant gap for any legal or sanctions action.

Full IP Prefix Inventory

Only 195.82.146.0/24 is confirmed as a RIPE allocation. C2 activity in 195.82.147.x suggests possible additional ranges; the full address space controlled by AS203834 was not independently enumerated in this pass.

Spamhaus SBL / CBL / XBL Per-Prefix Status

Operator claims "we do not hold Spamhaus" but per-prefix listing status was not confirmed via direct Spamhaus dataset query. Current SBL standing for 195.82.146.0/24 is unknown.

Upstream De-peering History

No documented de-peering events identified. Whether Belcloud or RASCOM have received and acted on abuse complaints regarding AS203834 is unknown.

On-Chain Wallet Cluster

No Bitcoin or cryptocurrency wallet addresses publicly linked to DEDBROPRO. No on-chain analysis from TRM Labs, Chainalysis, Elliptic, or Crystal. Financial flow cannot be traced without this data.

Reseller or Affiliate Arrangements

No named resellers or affiliates identified. The provider appears to sell directly to end criminal clients. Whether wholesale or white-label arrangements exist with other BPH or hosting entities is unknown.

Data Center Facility Names

No specific colocation facilities or data center names in Bulgaria or elsewhere confirmed. Physical infrastructure location beyond IP geolocation is an open gap.

Criminal Client Roster Beyond Documented C2 Cases

Current documented clients limited to SectopRAT operators, possible Remcos operators, and an unattributed malware distributor. Whether ransomware affiliates, carding operations, or other verticals are present on DEDBROPRO infrastructure is not confirmed.

Recent Reporting

Source Integrity Notes

Source Misattribution Flagged: Spamhaus "New Kid in Town" Article (2019)

The underlying research cited the Spamhaus article "Bulletproof hosting – there's a new kid in town" (December 2019) as a source for DEDBROPRO. Follow-on research confirms this article is NOT about DEDBROPRO. The article describes a 2019 BPH operation that rented VPS from legitimate Russian hosting providers (simplecloud.ru, reg.ru, etc.) and used reverse-proxy chains, with DNSpod for DNS. This operation is entirely distinct from DEDBROPRO's model (owned ASN, direct dedicated server and VPS sales). The 2019 article does not mention DEDBROPRO, dedbro.pro, AS203834, or Vault Dweller OU. It is cited here for context but should not be attributed to DEDBROPRO as a source.

AS47105 Reference: Likely Data Quality Issue

One source in the underlying research cited "AS47105 dedbropro" in connection with IP 195.82.146.34. Follow-on BGP verification confirms 195.82.146.0/24 is allocated to AS203834 (Vault Dweller OU), not AS47105. AS47105 is a distinct ASN. The discrepancy reflects stale or inaccurate ASN lookup data in the upstream source. AS203834 is the sole confirmed autonomous system for DEDBROPRO.

Open-Source Researcher Disclosure

The most specific recent open-source reporting on DEDBROPRO beyond abuse.ch feeds is a May 2025 X post by researcher @drb_ra disclosing Remcos C2 infrastructure on DEDBROPRO-AS at 195.82.147.97:443. This is a single-source disclosure tagged as unverified in ThreatFox. No major security vendor has published a formal technical report or blog post on DEDBROPRO as of June 2026. The provider remains below the attention threshold of mainstream threat intelligence publication cycles. [6]

Sources

[2]
Dedbro.pro – Bulletproof Dedicated Servers, VPS, VPN — Carder.su forum thread, handle "DedBro," March 2026
[3]
DEDBRO.PRO/ENG — Commercial website (English) — dedbro.pro, fetched June 2026
[4]
[6]
DEDBROPRO-AS #c2 #Remcos #unverified — @drb_ra, X (Twitter), May 2025
[7]
ThreatFox — IOCs tagged DEDBROPRO-AS — abuse.ch ThreatFox; first seen 2024-10-16, last seen 2025-05-30, 23 sightings
[8]
ThreatFox IOC #1520971 — 195.82.147.132:15747 / SectopRAT C2 — abuse.ch ThreatFox; confidence HIGH, first seen 2025-05-13
[9]
URLhaus — Host 195.82.146.34 — abuse.ch URLhaus; malware URLs 888.exe and AMA.exe, first seen 2025-03-18
[12]
AS203834 Vault Dweller OU — bgp.he.net (Hurricane Electric BGP Toolkit)
[13]
Vault Dweller OU — RIPE Network Coordination Centre — RIPE NCC membership / LIR index
[14]
AS44901 belcloud — bgp.he.net; Bulgarian IP transit provider; DEDBROPRO upstream 1
[15]
AS20764 CJSC RASCOM — bgp.he.net; Russian ISP; DEDBROPRO upstream 2