Bulletproof hosting (BPH) is technical infrastructure service provided by an internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cyberattacks. BPH providers allow online gambling, illegal pornography, botnet command and control servers, spam, copyrighted materials, hate speech and misinformation, despite takedown court orders and law enforcement subpoenas, allowing such material in their acceptable use policies.

BPH providers usually operate in jurisdictions which have lenient laws against such conduct. Most non-BPH service providers prohibit transferring materials over their network that would be in violation of their terms of service and the local laws of the incorporated jurisdiction, and oftentimes any abuse reports would result in takedowns to avoid their autonomous system's IP address block being blacklisted by other providers and by Spamhaus.

BPH first became the subject of research in 2006 when security researchers from VeriSign revealed the Russian Business Network, an internet service provider that hosted a phishing group, was responsible for about $150 million in phishing-related scams. RBN also become known for identity thefts, child pornography, and botnets. The following year, McColo, the web hosting provider responsible for more than 75% of global spam was shut down and de-peered by Global Crossing and Hurricane Electric after the public disclosure by then-Washington Post reporter Brian Krebs on his Security Fix blog on that newspaper.

Since any abuse reports to the BPH will be disregarded, in most cases, the whole IP block ("netblock") assigned to the BPH's autonomous system will be blacklisted by other providers and third party spam filters. Additionally, BPH also have difficulty in finding network peering points for establishing Border Gateway Protocol sessions, since routing a BPH provider's network can affect the reputation of upstream autonomous systems and transit provider. This makes it difficult for BPH services to provide stable network connectivity, and in extreme cases, they can be completely de-peered; therefore BPH providers evade AS's reputation based fortification such as BGP Ranking and ASwatch through unconventional methodologies.

According to a report, due to their mounting difficulties, BPH providers engage in establishing reseller relationships with lower-end hosting providers; although these providers are not complicit in supporting the illegitimate activities, they tend to be lenient on abuse reports and do not actively engage in fraud detection. Therefore, BPH conceals itself behind lower-end hosting providers, leveraging their better reputation and simultaneously operating both bulletproof and legitimate resells through the sub-allocated network blocks. However, if the BPH services are caught, providers of BPH migrate their clients to a newer internet infrastructure—newer lower-end AS, or IP space—effectively making the blacklisted IP addresses of the previous AS ephemeral; thus continuing to engage in criminal conduct by modifying the DNS server's resource records of the listening services and making it point to the newer IP addresses belonging to the current AS's IP space. Due to privacy concerns, the customary modes of contact for BPH providers include ICQ, Skype, and XMPP (or Jabber).

Most BPH providers promise immunity against copyright infringement and court order takedown notices, notably Digital Millennium Copyright Act (DMCA), Electronic Commerce Directive (ECD) and law enforcement subpoenas. They also allow users to operate phishing, scams (such as high-yield investment program), botnet masters and unlicensed online pharmacy websites. In these cases, the BPH providers (known as "offshore providers") operate in jurisdictions which do not have any extradition treaty or mutual legal assistance treaty (MLAT) signed with the Five Eyes countries, particularly the United States. However, most BPH providers have a zero-tolerance policy towards child pornography and terrorism, although a few allow cold storage of such material given forbidden open-accessibility via the public internet.

Prevalent jurisdictions for incorporation and location of the data centers for BPH providers include Russia (being more permissive), Ukraine, China, Moldova, Romania, Bulgaria, Belize, Panama and the Seychelles.

BPH services act as network infrastructure providers for activities such as cybercrime and online illicit economies, and the working model of the cybercrime economies surrounds upon tool development and skill-sharing among peers. The development of exploits, such as zero-day vulnerabilities, are done by a very small community of highly-skilled actors, who encase them in convenient tools which are usually bought by low-skilled actors (known as script kiddies), who make use of BPH providers to carry out cyberattacks, usually targeting low-profile unsophisticated network services and individuals. According to a report produced by Carnegie Mellon University for the United States Department of Defense, low-profile amateur actors are also potent in causing harmful consequences, especially to small businesses, inexperienced internet users, and miniature servers.