Research Progress Observations on Threat Intelligence Max van der Horst Apr 29, 2026 Summary: This post analyzes administrative activity in the leaked Media Land dataset and shows that provider-level behaviour is concentrated, shared across administrators, and embedded in the same access layer as customer operations. These interactions disproportionately target high-capacity accounts linked to ransomware infrastructure and persist over time. In addition, administrator-linked SSH key material is present on live systems in that environment. While this does not establish intent, it shows how provider access and abuse infrastructure can become intertwined in practice. Two posts ago, I decided to go through the leaked internal database of the Media Land bulletproof hoster to reconstruct and understand its internal structure. That analysis focused on customer-side resource allocation: which accounts received infrastructure, how address space moved through the platform, and which users overlapped with IP addresses mentioned in the Black Basta leak . This post continues from the same dataset, but looks at a different layer of the platform. Instead of asking which customers were assigned abuse-linked infrastructure, I figured it was worth investigating how Media Land’s own administrative accounts interacted with that infrastructure, and whether provider-level access artifacts can still be observed on systems linked to the same operational ecosystem. The previous post established several findings that this analysis builds on directly. Cross-referencing Media Land’s internal IP assignment history with indicators from the Black Basta leak identified 74 customer accounts whose assigned infrastructure overlapped with Black Basta activity between September 2023 and September 2024. One account dominated that overlap: a user registered under the name “Mr Reseller” (Мистер Ресселер), identified through password reuse across two accounts, who managed 1902 unique IP assignments and had 207 Black Basta-linked IPs in that period. That account also showed patterns consistent with reseller behaviour: high subscription volume, high IP churn, and significant cryptocurrency payments. SSH key analysis additionally showed that several clusters of accounts shared key material, and that these keys could in principle be scanned for on live systems. Those findings form the customer-side baseline. This post examines what the administrative layer was doing with the same infrastructure. That distinction between customer-side allocation and provider-level access matters. A hosting provider’s default relationship with customer infrastructure is structurally passive: provision the resource, maintain uptime, step back. That argument becomes harder to sustain when the provider’s behaviour is instead structurally active, meaning sustained and concentrated engagement with specific high-risk accounts across multiple administrators. Of course, this does not by itself prove intent or direct operation, but it does show that the separation between customer infrastructure and provider access was not clean. The underlying question is what evidence of provider control looks like at the infrastructure level, and the analysis that follows treats it as an empirical one. Under Article 6 of the European Digital Services Act , hosters even have a liability exemption for whatever happens on their infrastructure until they can have actual knowledge or awareness of illegal activity or content, the provider does not act expeditiously to remove or disable access, or the user is acting under authority or control of the provider. This last aspect is important, as it directly relates to whether provider involvement goes beyond passive hosting and into forms of control. Administrative Data and Observability As discussed in the previous post, the Media Land leak includes not only customer-side records, but also a limited set of administrative artifacts. These consist of administrator accounts, their assigned roles, and authentication logs capturing timestamps, source IPs, and client fingerprints. While incomplete, this data provides a direct view into how the platform was accessed and operated from the provider side. Unlike customer data, which reflects how infrastructure is allocated and used, these records capture who has control over that infrastructure and how that control is exercised. On their own, they do not reveal specific actions or intent, but they establish the identities and access patterns of the administrative layer. This distinction matters for the analysis that follows. The same identifiers, IP addresses, and access patterns observed here reappear elsewhere in the dataset, and in some cases outside the platform entirely. Before linking those layers, it is necessary to establish which administrative identities exist and how they appear in the data. The table below lists the administrative accounts observed in the leak. These accounts form the control surfac...