Collateral blocking in Kazakhstan traced back to illegal prostitution ring

The 31st of July 2019, hundreds of websites became unreachable from inside Kazakhstan and during several days no one knew why. This article investigates the real target of the blocking, “Rainbow Spa” and its connection to an illegal prostitution ring.

The first reports of the massive blocking were published in social media, and pointed to a filter of two IP addresses implemented by Kazakhstan Telecom in their infrastructure. As most of the providers route their traffic via the national operator, the affected sites were inaccessible in the whole country.

Kazakhstan Network Overview. Providers route traffic via Kazakhtelecom AS9198

The two filtered IP addresses belonged to a client hosted with Tilda Publishing, a Russian website-builder that enables quick deployment of websites. It took a day for Tilda to react to the blocking while many of their customers’ websites were unreachable in Kazakhstan.

Tilda re-allocates customers to new data center

The first hint of the blocking was prompted by Tilda themselves when they publicly announced it in a simple website kzalert site that clients that were experiencing problems had to change their website location to a new IP address ( pointing to the commercial hosting provider

This image has an empty alt attribute
Blocked websites are asked to re-allocate to one IP address inside Kazakhstan

Two days later on August 2nd, Tilda informed their customers that they were blocked by a Kazakhstan Telecom filter, and asked them to reallocate their websites to yet a new IP address, in this case

Affected sites requested to move to Kazteleport and DDOS-Guard

On August 8th, at least 800 domains and subdomains affected by the IP blocking had migrated to a new hosting address at Kazteleport, a datacenter that it is a subsidiary of the Halyk Bank. All the domains are protected against Denial of service attack by DDOS-Guard, a Russian company that provides services to the Russian’s Ministry of Defense.

It is unclear to us why the “DDoS protection” was used as a justification for moving the websites to Kazteleport.

A list of domains that migrated to the data center follows below:

Why hundreds of websites were blocked?

A statement from Kazakh Telecom the 1st of August reported that the blocking of the websites was enforced against the website The website was hosted in the Tilda Publishing platform in the IP addresses: and According to their report, a court order was issued to block the website that contained videos and pornographic material that violated the “media law” and the “law that protects the rights of the child”.

As the website shared IP address with many others, all of them were brought down. Some of the websites blocked were Manusq Media or the Clique Film Festival.

A website with .kz domain

The first thing that caught our attention was that the controversial website uses the .kz domain and we wonder why the court order was not sent to the domain registrar ICPS – Internet Company PS “Интернет-компания PS” .

Not until the 7th of August, one week after the IP blocking, the registrar reflected that the domain was put on hold (serverHold) due to “bad owner information”.

What is

By the time of the public alert, the website was already offline and we could not obtain any copies of the content. We looked into the contact details of the domain and the domain registration address Сатпаева, 30а к2

To our surprise, at that address we could find a business with the name “R.N.B.W. massage salon”. The “massage business” RaiNBoW” offers erotic massage services. Could this be

More domains linked

We looked for all the domains that re-assemble the blocked site. It is not uncommon to see business of this type running multiple websites. During our search we found two more domains: and

Both domains were registered in May and June 2019, they share postal address (Satpaeba, 30a K2, Tengiz Towers, Almaty) and phone number (774 713 77 621).

R.N.B.W – Erotic massage
  • 2019-06-23 22 MEGAHOST
  • 2019-05-11 11 ICPS (mail from Бизнес-Технологии?”
  • 2019-06-10 12 ICPS
  • 2019-03-01 04 MEGAHOST and share content, address and phone contact

Rnbw Luxury Body-Spa is registered with phone contact +7(747)137-76-21 as a place to find prostitutes.

RNBW classified as a brothel in Almaty

Prostitution rings under .kz

During our research we also found that there were several websites that offered information about how to find prostitutes in Kazakhstan. Although prostitution is itself legal, acts facilitating prostitution, such as operating a brothel or prostitution ring, are illegal. It comes to a surprise that a country that pretends to protect their citizens from cybercrime screening all communications is not acting in obvious cases of human trafficking that can be found using a search engine.

Contact details and bogus e-mail addresses

Several mails seems to be connected to the domains, and

  • grgburdell might refer to fictitious student Gerge P Burdell
  • that appears in the SOA record of rnbw-spa is connected with Askar Aldasugirov, that runs several cleaning companies: Tazaline Cleaning and DI-Cleaning.
dig SOA 86400 IN SOA 2019080503 10800 3600 604800 10800

Open questions

Looking at the domain details it seems possible that is one more placeholder of Rainbow Luxury Spa sites ( and

  1. Why the court order was not sent to the domain registrar? Internet Company PS.
  2. Why Tilda Publishing did not receive any notification of such illegal content in their platform?
  3. Why hundreds of websites were blocked for a website that might have two similar copies still online?
  4. Why the blocked websites were asked to re-allocate to a server inside Kazakhstan to remain online?

Annex – Rainbow-spa associated domains