December 7th 2024.
In Reykjavik, Iceland, there is a modern office building near the harbor that is known for housing the Icelandic Phallological Museum. It's quite an unusual attraction, as it displays 320 mammal penises. But for those who are familiar with cyber mischief, this building has a different reputation. It's considered a virtual offshore haven for some of the most notorious perpetrators of identity theft, ransomware, disinformation, and other illegal activities.
The street address of the museum, Kalkofnsvegur 2, is also the registered address for a company called Withheld for Privacy. This company is part of a rapidly growing and largely unregulated industry in Iceland and other parts of the world. It allows individuals who operate online domains to keep their identities hidden. While this practice is commonly used by website owners to protect themselves from harassment or spam, it has also been misused by others to evade regulators, law enforcement, or victims.
Withheld for Privacy, which was created in 2021 by Namecheap, one of the largest providers of websites, has been responsible for shielding tens of thousands of questionable internet domains. Local authorities have even struggled to reach the company's representatives when issues arise. Recently, researchers at Syracuse University discovered the penis museum while trying to track down the owners of a website that had spent over $1 million on fraudulent political ads targeting supporters of former President Donald Trump.
This scam was designed to trick victims into sharing their credit card information and committing to expensive monthly payments. Fortunately, Facebook's owner, Meta, took action and shut down the ads and blocked the domain behind them. However, there are countless similar websites on the internet that are trying to deceive or scam unsuspecting users. And with the help of proxy services like Withheld for Privacy, it's becoming even harder to catch or identify these perpetrators.
Jon Stromer-Galley, a research software engineer at Syracuse's Institute for Democracy, Journalism, and Citizenship, describes it as the internet version of "giving the bird." Due to Withheld for Privacy's use of the building's address as a default for its clients, Kalkofnsvegur 2 has been linked to various illegal activities. These include a white supremacist group in the United States using online forums to sell counterfeit hormone drugs to trans women, phishing sites posing as well-known companies like Amazon and Spotify to steal personal information and money from visitors, and Russian influence campaigns spreading false information to unsuspecting Americans.
The Russian efforts, which have been linked to President Vladimir Putin's administration, involve more than 130 fake news outlets that were registered this year by a former deputy sheriff living in Moscow, John Mark Dougan. One of his recent endeavors was a staged interview on a website for a non-existent TV channel in San Francisco, claiming that Vice President Kamala Harris was involved in a hit-and-run accident in 2011.
Iceland is an attractive location for proxy services due to its strict privacy laws. These laws were initially intended to protect ordinary internet users from authoritarian governments, but they have also been exploited by criminals and fraudsters. Mordur Ingolfsson, a former member of Iceland's parliament, helped enact some of the country's first internet privacy laws. He explains that their goal was to create a "Switzerland of bytes," a place where individuals could have their online privacy protected. However, this has led to the abuse of those laws.
Despite repeated attempts to reach out to Withheld for Privacy and Namecheap, neither company has responded to requests for comment. The head of supervision for Iceland's Data Protection Authority, Valborg Steingrimsdottir, states that these companies' services are only meant to hide the real controllers' identities. Internet domains, which function as the online version of a street address, have been regulated by the Internet Corporation for Assigned Names and Numbers (ICANN) since 1998. Up until 2018, anyone looking to use a domain was required to disclose their contact information, which was then made publicly available. However, with the implementation of the General Data Protection Regulation by the European Union, individuals can now shield their contact information in most cases. Proxy protection has become a default feature for many.
In the bustling city of Reykjavik, Iceland, there is a unique office building near the harbor that houses the Icelandic Phallological Museum. This museum is known for its collection of 320 mammal penises. However, among those who keep a close eye on cyber mischief, this building also has a different reputation. It is believed to be a virtual offshore haven for some of the world's most notorious perpetrators of identity theft, ransomware, disinformation, fraud, and other illegal activities.
The building's street address, Kalkofnsvegur 2, is not only home to the Phallological Museum but also serves as the registered address for a company called "Withheld for Privacy." This company is part of a booming and largely unregulated industry in Iceland and other countries that allows website owners to conceal their identities. While this practice is common for those seeking protection from harassment or spam, it has also allowed for individuals to hide from regulators, law enforcement, or victims.
As a result, Iceland has become a global hub for illicit activities, despite its small size. Withheld for Privacy, which was established in 2021 by Namecheap, one of the largest providers of websites in the world, has effectively shielded tens of thousands of dubious internet sites. Local authorities have even struggled to reach the company's representatives when issues have arisen.
Recently, researchers at Syracuse University stumbled upon the infamous penis museum when attempting to track down the owners of a website that spent $1.3 million on fraudulent political ads targeting supporters of former President Donald Trump. The scam aimed to trick victims into sharing their credit card information and unknowingly committing to expensive monthly payments. Fortunately, the ads were shut down by Meta, the company that owns Facebook, and the domain behind them was blocked earlier this year.
Unfortunately, there are countless other sites like this one on the internet, attempting to deceive or swindle unsuspecting users. And with the help of proxy services, it becomes even more difficult to identify and catch these perpetrators. As Jon Stromer-Galley, a research software engineer at Syracuse's Institute for Democracy, Journalism, and Citizenship, puts it, "It's like giving me the middle finger, but on the internet."
Due to its convenient location and robust privacy laws, Iceland has become an attractive destination for proxy services, despite the intentions of its officials. These laws were initially put in place to protect ordinary users from authoritarian governments, not to provide shelter for criminals and fraudsters. However, this is exactly what has happened.
Neither Withheld for Privacy nor Namecheap have responded to multiple requests for comment. According to Valborg Steingrimsdottir, the head of supervision for Iceland's Data Protection Authority, these companies claim to only hide the identity of the real controllers behind websites. However, this has become a common feature for most internet domains since the European Union passed the General Data Protection Regulation in 2018.
Before this law, anyone seeking to use a domain was required to disclose their contact information, which was then recorded in a publicly searchable database. This was to maintain public trust in websites and ensure they were legitimate. However, with the GDPR's implementation, most registrants now have the option to hide their contact information, making proxy protection a default feature in many cases.
[This article has been trending online recently and has been generated with AI. Your feed is customized.]
[Generative AI is experimental.]
