23 April 2025
Exactly one year ago, Qurium traced a series of DDoS attacks targeting Meduza —a prominent Russian-English independent news outlet in exile—back to “Plain Proxies”, a proxy service operated by the German company 3xK Tech GmbH.
This time the victim of the attacks once again launched from 3xK Tech’s infrastructure is iStories (Important Stories) – an independent Russian media outlet specializing in investigative journalism.
Just like Qurium’s previous investigations into residential and data center proxies have shown, the companies behind these services consistently seek to avoid accountability. Their offerings are deliberately tailored to support the “scraping industry,” which relies on the automated extraction of data from websites and other digital sources.
Between the evening of April 18 and the early hours of April 19, 2025, the service “Plain Proxies” was used to launch multiple waves of denial-of-service attacks against iStories. These attacks, intended to take the website offline, generated millions of web requests targeting the landing page, originating from over 10,000 unique IP addresses.
The large majority of the addresses originated from 3xK Tech GmbH, a German company registered in Schorfheide (Germany) that offers proxies using the brands lightningproxies.net, proxies.fo, proxies.gg, sparkproxies.net, strikeproxy.com or catproxy.io.
A big part of the addresses run by “Plan Proxies” are announced by AS200373, that obtains several blocks of IP space from “Cloud Innovation Support” also known as “Larus”. Larus is notorious for leasing IP space to VPN and Proxy Providers.
Flood with signatures
Proxy Providers like “Plain Proxies” might argue that this is just “a rogue client” not using their infrastructure in they way it is intended, but the reality is that scraping infrastructure is by design attracting all kind of grey/black clients.
Friedrich Kraft (FraftDev) promotes its service in Black Hat World Forum as a primer data web collection infrastructure designed “to prevent rate limiting”.
A detail analysis of the floods against iStories shows signs of custom code to bypass Cloudflare protections such as the cf_clearance cookie.
Plain Proxies response
Qurium reached out to “Plain Proxies” to inform about the attacks, and received a response that perfectly summarizes how this industry operates. If the proxy provider receives an abuse complaint, the “victim” website is blocked from the malicious service so the abuse stops – for that site! The malicious user can continue its shady operations against all other websites and online services. Unfortunately, “Plain Proxies” have not explained how such attacks can take place and what measures are implemented so the service is not weaponized to conduct denial of service attacks.
Hello
Given the misleading and false statements your organization published about us last year, we have no intention of cooperating with you now or in the future.
Your actions made your intentions clear, and as a result, we do not consider your organization a trustworthy party for any form of dialogue.
We will handle the abuse report independently and will proceed with blocking the website within our infrastructure.
Sincerely,
Friedrich Kräft