A Cold War bunker in a small German town housed darknet internet servers that facilitated illegal online activity. The group allegedly operating the servers are on trial — but are they responsible for 250,000 crimes?
Germany’s largest-ever cybercrime trial began this week amid much media fanfare at the district court in the city of Trier. The courtroom was packed. Defendants and their lawyers were wearing face masks and separated by plastic screens.
On the first day the judge took two hours to read out the charges. On the second, three of the eight defendants were given the opportunity to tell their life stories.
The eight people — four Dutch, three German and one Bulgarian — worked at the Cyberbunker data center at a disused military bunker in the pretty village of Traben-Trarbach, northwest of Trier.
They are now charged with aiding and abetting criminals in some 249,000 illegal online transactions involving drugs, contract killings, money laundering and images of child abuse worth millions of euros.
In September 2019, a major police operation that had been in the works for half a decade raided the bunker and closed it down. Key members of the group were arrested.
The alleged ringleader of the operation, 60-year-old Dutchman Johan X.*, remained impassive and silent throughout the first days of questioning, listening to the testimony of the first three defendants.
Dutchman Michiel R.* who worked as a “manager” at the bunker, summed up his checkered job history and gave a tearful description of his close relationship with his mother. Jaqueline B.*, a German who acted as a “bookkeeper” for the operation, spoke of her childhood in Cameroon growing up as the daughter of a poor farmer. A 21-year old German IT expert who spent a year working in technical support described his solitary life and history of depression.
There has been much focus in the international media on the bunker the group used for its operation.
The massive construction was built during the Cold War to house a NATO command center. It sits on a hill overlooking a small town of 6,000 people, mostly known for its Riesling wine vineyards.
“We are tourist-oriented here; it really is very picturesque,” explained Patrice-Christian-Roger Langer, mayor of Traben-Trarbach. He knows the bunker well because he worked there as a computer programmer in the 1980s and 1990s.
“It is like a giant root system,” he said. “Only one story is above ground and four are underground. The only way to differentiate between each floor is through color-coding on the walls. Visitors would often come and have no idea if they were at ground level or tens of meters underground.”
After the end of the Cold War, the bunker gradually fell into disuse and the German government eventually sold it to Johan X. in 2013. Langer said the town council had no say in the sale, and there was much speculation about Johan X. and his plans for the bunker.
“So I phoned him up and asked if I could come to visit,” said Langer. “He said I could come any time, I just needed to give a little notice because of the guard dogs. And he really was very open — I visited twice and could look behind every door I wanted to. Not that much appeared to have changed since my time working there.”
Johan X. promised that his new IT hub would offer at least 80 jobs to the local community, which Langer said were badly needed. He also pledged to set up an IT training center. But he remained vague about the exact nature of his operation.
None of his promises materialized, and rumors continued to fly among the townspeople — that X. was producing drugs or buying and selling weapons in the bunker.
Then, in September 2019, Langer was attending a meeting in a neighboring town and received a WhatsApp notification: police vans and helicopters were at the bunker. He raced back to Traben-Trarbach to find the bunker had been raided.
Only then did Langer and the other residents of the town hear of what may have been going on and the dark web empire that X. had allegedly been running.
Johan X. and the other defendants are accused of having run a “bulletproof hosting” service for websites, in which they offered clients the opportunity to run secret online operations.
“There is no consistent meaning for the dark web,” explained Steven Murdoch, expert in security engineering at University College London. “Most commonly it is used as a reference for sinister stuff on the Internet — because it sounds a bit sinister. And bulletproof hosting is entirely unrelated to the dark web, but sometimes might involve the same people.”
Johan X. expressly offered “bulletproof hosting” for Cyberbunker customers from the beginning, which allowed clients to access the darknet, where some of the internet’s most nefarious operations take place. He initially advertised that Cyberbunker would host websites with anything except “child pornography and anything related to terrorism.”
“Bulletproof hosting is for services that are normal internet services but are either illegal or illicit,” said Murdoch. “But it is important to remember that most bad stuff on the internet happens on the normal internet.” He cited one study by the British Internet Watch Foundation into child abuse images and found that less than 1% of those images were accessed through so-called onion services, that help anonymize the user.
Investigators are still examining the contents of hundreds of physical and virtual servers that the bunker housed and say they have yet to find any content not related to illegal activity. But Murdoch said it is still just about conceivable that a service host provider might not know about the nature of their customers’ online activity — especially if they consciously turned a blind eye.
“The principle that organizations are not responsible for their customers is a good one, and quite widely held,” said Murdoch. “As soon as you are a large organization, there will be terrible people using your services. So the question is — what proportion of your customers are terrible people?”
The proportion is the key part because major internet hosting services like Amazon may well facilitate millions of cases of illegal online activity. But given their mammoth size, this makes up only a tiny proportion of their service, Murdoch pointed out.
The defense attorneys this week argued that the group around Johan X. were unaware of what content and transactions were being carried out on the websites hosted by the bunker’s servers.
With the trial set to last over a year, the public prosecutor says the trial will cover “new legal ground.”
Even if prosecutors can prove that Johan X. and his team knew about the activity, the key question of the trial is whether an internet service provider has any right to act on this knowledge.
Germany is a country where data privacy is fiercely protected: electronic payment methods are still unusual in large swaths of the country partly because of fears about data mining. Mayor Langer is among those who see the case as an opportunity to reexamine some of these regulations.
“I work with children, and I have to have my internet search history and personal background checked by the police every year,” he said. “But this man can run an operation facilitating the sale of images of child abuse and he can claim lack of knowledge because of data security? Something has to change.”
The trial is set to last until December 2021 at the earliest as the prosecutors go through the thousands of charges leveled at the defendants. The available evidence indicates that a guilty verdict is far from certain. But Murdoch said that law enforcement often keeps key pieces of evidence up their sleeves in cases like this.
“We’ll probably never know exactly what went on [in the bunker],” he said.