German investigators shut down a "criminally operated data center" in a former NATO bunker that they claim was used to host sites selling drugs, child pornography and illegal botnets.

More than 600 police officers stormed the 'CyberBunker' data center in Traben-Trarbach, western Germany, where they seized roughly 200 servers. Seven people were arrested.

Bunker mentality

Bunker Police
Police gather outside the bunker – German Police

Prosecutor Juergen Bauer told reporters that alongside the seven arrests, the long-running investigation has thirteen people aged 20 to 59 under investigation. None of the suspects were at the data center at the time, with the arrests taking place at a local restaurant and in Schwalbach, outside Frankfurt.

There were separate raids in the Netherlands, Poland, and Luxembourg.

Among the illegal services allegedly hosted at the German data center were Cannabis Road, Fraudsters, Flight Vamp 2.0, orangechemicals, and the world's second-largest narcotics marketplace, Wall Street Market. Police also claim that a large-scale attack on approximately one million Telekom routers at the end of November 2016 was operated via a server in the bunker.

The former NATO facility was acquired in 2013 from the Office for Geoinformation of the Bundeswehr, by an unidentified Dutchman, who is the chief suspect. Press reports at the time describe the site as a multi-story protective structure with a floor space of 5,500 square meters. It has two adjacent office buildings with a total floor space of 4,300 square meters and is set on 13-hectares of land.

Bunker
The site highlighted in a 2012 sales document – Institute for Federal Real Estate (BImA)

A 2012 article in Immobilien Zeitung reveals that the site was already being used as a data center by the military, and has four underground stories reaching a depth of 25 meters.

The Dutchman, now 59, upgraded the bunker "in order to make it available to clients, according to our investigations, exclusively for illegal purposes," regional criminal police chief Johannes Kunz said. "I think it's a huge success... that we were able at all to get police forces into the bunker complex, which is still secured at the highest military level," Kunz added.

"We had to overcome not only real, or analog, protections; we also cracked the digital protections of the data center."

When the bunker was purchased in 2013, the buyer was not identified, but said that he was also involved with CyberBunker, the alleged operator of a Dutch data center in its own Cold War bunker. In 2013, now-defunct data center company 'Bunker Infra' claimed CyberBunker was using images of its bunker, and was not based in the Dutch site.

CyberBunker previously said it would host "services to any Web site 'except child pornography and anything related to terrorism.'" The company's website is now unavailable.

The location of the Traben-Trarbach facility matches that of Calibour, a company that said it operated a NATO-bunker based secure data center. Its website is now also unavailable. The CEO and MD of Calibour, Herman-Johan Xennt, claimed to own CyberBunker as of 2010.

The case against those charged is still developing, and there are as yet no formal identifications or charges. While 200 servers were seized, some reports suggest that there could be as many as 2,000 at the facility. Kunz told reporters the analysis of the data could take years to complete.

Further reading