On the morning of 12 August 2017, a state of emergency was declared in the small town of Charlottesville, US. A Neo-Nazi march had spun out of control.
At 1.41 pm, a young right-wing extremist, James Alex Fields Jr., turned his grey Dodge Challenger towards a group of counter-protesters and began accelerating. 32-year-old woman died as she was crossing the road.
The following day, a known Neo-Nazi website Daily Stormer reported on the event. “Woman killed in road rage incident was a fat, childless 32-year-old slut”, read the title.
In one word, the Daily Stormer is a horrendous website.
It is a right-wing extremist website that promotes white supremacy and Neo-Nazi ideology where slanderous news titles on Jews and Islam are common, and misogyny runs wild. The site displays a counter depicting the declining number of white people in the US. A banner is asking for bitcoin donations for the site.
Their titles look something like this:
”Tennessee: Big news on how a black person kidnapped and murdered a rich white woman.
”Reading lists at private schools for the New York elite are 100% trannies, fags, abortions and so on.
”😔😔😔😔😔 All women are whores: Gisele has left Tom Brady 😔😔😔😔😔
The Daily Stormer was founded by the US Andrew Anglin in 2014. The website became a successor to his previous blog, Total Fascism.
The site adopted a style with visuals to woo young people, outrageous humour, memes and blatantly provocative titles. Anglin’s rise as a central Neo-Nazi figure has been documented by, for example, The Atlantic.
Anglin has also used his website for online targeting as well as harassment campaigns on the Internet. In 2019, Anglin was ordered to pay $14 million in damages to a Jewish woman for orchestrating a trolling campaign against her.
The site has also been linked to violent attacks against black people and even to mass murders. Dylann Roof, who murdered nine people in Charleston in 2015, actively left comments on the website. The perpetrator of the mass shooting in Buffalo last spring also cited the Daily Stormer as an inspiration.
Another known US-based ‘Internet cesspool’ is the Internet forum 8kun, formerly known as 8chan. It is owned by a website entrepreneur Jim Watkins.
It is also a meeting place for the far-right, Neo-Nazis and QAnon conspiracy theorists who spread racism, Nazism, misogyny, child pornography and violent fantasies in the name of the ‘freedom of speech’.
8chan was the place where the planning began for the attack on the US Capitol building in the early 2021. The forums discussed which politicians should be killed once the Capitol was successfully invaded.
8kun has been linked to the mass murder in 2019 at a Walmart in Texas El Paso and the Christchurch mass shooting that claimed the lives of 50 people.
The question is who is helping these sites stay online.
The Internet would not exist without invisible technology companies. Companies that host web addresses and server rooms, transmit Internet traffic and handle data security.
After the Unite the Right rally in Charlottesville, most of the large Internet companies had had enough of the Daily Stormer.
The first to stop hosting the site was GoDaddy, one of the largest website hosting companies in the world. In 2017, many other technology companies from Google to NameCheap and Cloudflare followed in its footsteps.
The hate site was successfully silenced. But only for a moment.
”The small company has become the lifeline of the most important US right-wing extremist and conspiracy websites.
The dark corners of the Internet house companies that have no trouble overlooking even the most appalling content.
On the final stretch of the US presidential elections in 2020, some of the popular right-wing extremist websites and forums suddenly crashed. Conspiracy theorists believed that this had been orchestrated by the Democrats and heralded the coming of the apocalypse.
But it was no conspiracy. It was a small technical glitch with the Internet service provider VanwaTech.
The right-wing extremist websites were resurrected when the owner of the company, 23-year-old Nick Lim, woke up from a nap at his mother’s home. The sites recovered once Lim reset the servers. The Bloomberg Businessweek reported on the event last year.
Lim founded VanwaTech in late 2019. The company’s best-known customers include the notorious 8kun and the Daily Stormer.
The small company has become the lifeline of the most important US right-wing extremist and conspiracy websites.
VanwaTech made international headlines when it took the right-wing extremist hate forum, Kiwi Farms, under its wing. Kiwi Farms is known for inciting harassment campaigns especially against transgender and lbqt people.
For example, the data security giant Cloudflare stated that Kiwi Farms is causing an “immediate threat to human life”.
Lim took in the Daily Stormer trash site as early as 2017. At the time, he was a start-up entrepreneur in his twenties who saw this as a chance to be in the limelight.
Lim has described himself as “an entrepreneur with a maximalist view of free speech”, but he says he is not an extremist.
“There needs to be a me, right?”, he said to the Bloomberg Businessweek. “Once you get to the point where you look at whether content is safe or unsafe, as soon as you do that, you’ve opened a can of worms.”
Pitäjänmäki is a district located in the westernmost district of Helsinki. it is home to more jobs than people.
At Hiomotie street, one office building’s windows have been covered with plywood sheets. A corner of the exterior wall is coated with air conditioners.
The building’s door reads “Oy Crea Nova Hosting Solutions”.
It is a familiar address to the Finnish National Bureau of Investigation (NBI). HS Visio found out that the NBI has visited Crea Nova’s office several times in recent years.
The visits have usually concerned the company’s clients’ Internet content that has prompted information requests from foreign officials.
In July 2022, Crea Nova acquired a particularly famous client. Nick Lim’s VanwaTech, the company known for supporting Neo-Nazi sites, wanted to rent a server at Pitäjänmäki.
HS Visio was informed of the Finnish company’s role when a US information technology expert, Ron Guilmette, contacted the publication. Guilmette has spent nearly a decade voluntarily hunting down the scammers and spammers of the Internet.
A couple of years back, Guilmette set his sight on the hate sites 8kun and the Daily Stormer.
”For some time now, I’ve been working to ensure that these racist, antisemitic Neo-Nazi websites are completely disconnected from the Internet. It’s easier said than done,” Guilmette details in his emails to HS Visio.
His research into far-right websites has been reported on by the British Guardian newspaper and the news agencies Bloomberg and AP. Media attention has generated public pressure, and many service providers have cut contact with VanwaTech.
Tracking trash sites’ footprints on the Internet is no easy task.
It is an world of technical terms such as reverse proxy server, routing protocol and AS number. These terms relate to Internet infrastructure that is usually of little concern to a typical Internet user.
This complicated tangle of strings leads to server rooms operating in various countries and interconnected Internet companies.
”Crea Nova also has close connections with Russia.
One particular string led Guilmette to Finland. Helsinki has been one of the places from which Neo-Nazi websites have been kept alive.
Crea Nova is one of many companies around the world that VanwaTech, run by Nick Lim, has used to transfer questionable content to the Internet.
Far-right websites often point to Russia. This was the case now as well.
Most of VanwaTech’s recent service providers have been based in Russia or China. Nick Lim’s company was protected against denial-of-service-attacks (DDoS) by the Russian owned DDoS-Guard up until January 2021. The same company protected the pro-Trump social media website Parler when Amazon suspended it from its server hosting service.
This autumn, the Russian company also welcomed the notorious Kiwi Farms to its fold. Its other clients include the Russian Federal Security Service (FSB) and the Russian Ministry of Defence.
Why do Russian companies in particular want to protect websites that disturb the Western social order? This was a question asked by the Foreign Policy magazine in January 2021.
Andrew Anglin, the Daily Stormer’s founder, responded on his website: “There is no internet company that will support your freedom of speech if the media says you shouldn’t have freedom of speech that is not either Chinese or Russian.”
Russia and China are authoritarian countries that control Internet content published within their borders vehemently. Simultaneously, they offer a safe harbour for Western far-right websites and websites that view governments with distrust.
The Daily Stormer, 8kun and Kiwi Farms domain names were registered by Eranet International Limited based in Hong Kong. The company has received approval from the Chinese administrative authority on domain name registrations.
If the domain names were registered by a Western company, officials would have an easier time to intervene in the activities on those sites. Regular methods cannot be used in China or Russia.
A random sampling reveals that the company offers services to, for example, a Russian modelling agency, an osteopathic company, a travel agency in St Petersburg and a hydraulic pump vendor in St Petersburg. All in all, regular business activities.
However, some of the clientele exhibit more questionable activities, states Joni Hauhia, a Senior Cybersecurity Consultant at cybersecurity company Nixu.
HS Visio consulted Nixu on what kind of a picture data security reports and listings paint of Crea Nova.
The findings concluded that IP addresses hosted by Crea Nova have been involved with botnets, phishing attacks, mass mailing of spam emails, hacking attempts and other malicious traffic. Many reports classify the company’s IP addresses as high-risk addresses.
“It does not seem like a trustworthy or a reputable service provider,” Hauhia concludes based on the reports.
Crea Nova has a web platform portal where anyone can create an account and set up a service. Strong identification is not necessary, and they accept both regular payments and cryptocurrencies.
Hauhia says that this is unusual in Finland.
Being able to use cryptocurrencies anonymously would, in theory, enable people to buy services for criminal purposes as well. Or to circumvent sanctions in this current situation where making international payments between Finland and Russia is harder than usual.
Jorma Mellin, a Business Unit Director at SSH Finland, arrives at a similar conclusion.
“Crea Nova’s customer profile seems a little risky. When you combine that with easy online shopping and anonymous payments, you need an extraordinarily strict data security policy if your goal is to keep up a good corporate image,” says Mellin.
Nikolai Viskari responds to our call on Thursday 8th September.
Content from American Neo-Nazi websites have been allowed to flow freely through Finland to the Internet for two months.
“VanwaTech has been our customer since July,” Nikolai Viskari readily admits.
He seems surprised and a little shaken. However, he responds to questions rather openly.
Viskari denies being familiar with the websites 8kun, Daily Stormer or Kiwi Farms. “The names do not ring a bell.”
He recounts that VanwaTech rented a server from Crea Nova in the summer. Viskari himself installed the server’s operating system. Thus, Crea Nova provides the American company with a device and an Internet connection.
“We don’t know what happens inside the server. I am unaware of our client’s activities,” says Viskari.
The client has registered under the name Nicholas Lim. According to Viskari, the client has its own AS number and IP address network and as such, any complaints about the content go to the client.
””I will never support racism. This has nothing to do with my personal views.”
He states that Crea Nova has not received complaints about suspicious content.
However, this is not true. The American activist Guilmette claims to have sent an email to Viskari at the start of August. HS Visio has seen the email and the response from Viskari. In his email, Guilmette warns Viskari of the websites’ contents.
Viskari finds the emails during the phone interview. He states that he forwarded the complaint to VanwaTech’s Nick Lim.
“We have thousands of clients, so monitoring all of them is impossible. We have passed on the complaint, and I was under the impression that the issue has been handled,” Viskari says.
He states a number of times that the company reacts quickly to any complaints from the police if a client’s content is deemed illegal.
“It’s a matter of whether or not the Finnish law has been broken. If the client has done nothing against the law, we will not act. We can turn off their server, but I would rather act on an official’s request to do so.”
Do you yourself have any political or ideological reasons to support keeping this kind of content on the Internet?
“I do not support racism or anything like that. I will never support racism. This has nothing to do with my personal views. I am an entrepreneur and they are our clients,” says Viskari.
A Dutch data centre is also involved in this tangled web.
At the start of August, Ron Guilmette observed that the Finnish Crea Nova was one of the five companies that transmitted traffic for VanwaTech. However, as Guilmette contacted these companies, the routing seemed to change.
Traffic from Neo-Nazi sites began to pass through the data centre of a Dutch company called Serverius. This network traffic branch has been investigated by journalists at the Dutch NRC newspaper in co-operation with Helsingin Sanomat.
Serverius is one of the largest server providers in the Netherlands. One of its clients has a notorious Russian Internet company called Vdsina (under the name Hosting Technology Limited) as a client.
These kinds of long and shady routing chains are common with trash sites. And they are hard to keep track of.
Nick Lim admitted to an NCR journalist in an email that they use a Dutch data centre but did not offer further comments.
The sudden turn in Neo-Nazi sites’ Internet traffic was no coincidence. Guilmette believes that the real origin of the traffic has been obscured by using a so-called reverse proxy. This proxy was located in the Netherlands.
Simply put, the company owned by Nick Lim has attempted to offer web services for their notorious clients wherever possible. This has been enabled by the industry’s loose practices in knowing its clients and monitoring content as well as a limited understanding of service providers’ responsibility.
In addition to Crea Nova and the Dutch data centre, this complicated arrangement has involved Russian operators and, for example, a Lithuanian Internet service provider.
While the routes can be obscured, they always leave traces on the Internet. By following these traces, experts were able to identify a link between Nick Lim and the Finnish company.
HS Visio also requested the Business Unit Director, Jorma Melllin, to examine the connection between Crea Nova and VanwaTech. At SSH, Mellin is responsible for critical networks’ security solutions, and he held the Chairman’s position at the Finnish internet exchange point association Ficix for a long period of time.
“The client has most likely used their Finnish server to establish a VPN connection through the Dutch data centre to the VanwaTech network,” Mellin reckons.
A VPN connection hides the user’s location.
Interestingly, the Dutch proxy server was at times completely down.
The journalists at the Dutch NRC newspaper were able to verify that, at the start of September, 8kun’s traffic was in fact routed through Crea Nova to VanwaTech.
Public sources also revealed that just last week, Crea Nova was one of the four Internet companies that routed traffic with VanwaTech.
One thing in particular makes the connection between Crea Nova and VanwaTech appear suspicious.
The network routing for Daily Stormer and 8kun has constantly changed to go through different companies. That is not normal, says Mellin. He lists two possible explanations for this: a fault situation or concealing traffic.
“Network traffic is directed through different operators and server rooms on purpose to circumvent potential blockages and to minimise traces from traffic,” Mellin notes.
Could the Finnish company have been unaware of their client’s true nature?
Mellin states that this is a possibility, especially since clients can purchase server capacity on Crea Nova’s website anonymously.
Transferring traffic by itself is not criminal in any sense, and there are no laws that require filtering traffic, Mellin points out.
After repeated investigations into the suspicious contents of Crea Nova’s clients, the NBI became interested in the company’s activities as well.
In May 2020, the police began a financial investigation of Crea Nova.
In March 2022, the investigation proceeded to the District Court. Nikolai Viskari was charged with aggravated tax fraud and accessory to aggravated debtor’s fraud as well as aggravated account offence. His Estonian business partner stands accused as well.
The date of hearing is yet to be decided. Currently, we are just talking about charges, and the materials of the preliminary investigation have not been released to the public. The NBI’s officer in charge of the investigation and the prosecutor refused to comment on the case.
HS Visio has also interviewed sources who know the company closely and gone through documents pertaining to the company.
The financial investigation revealed some video files classified as illegal on Crea Nova’s computer.
In this case, the District Court of Helsinki issued its ruling in July 2022 for the possession of an indecent image depicting a minor.
The defence claims that the company management was unaware of this child sexual abuse material (CSAM) material and how it had ended up on the computer.
The documents of the Helsinki District Court reveal that different countries’ officials, for example, Germany and France, had sent notifications and complaints about Crea Nova’s clients’ contents hosted on Crea Nova’s servers.
Several complaints and requests for inspection regarding different clients had been received in a single week. Some involved pornographic material, viruses and other kinds of malicious content.
In this kind of situation, an official may have sent a link about the content in question, and the company then checked its contents. The defence claims that CSAM material may have ended up on the computer during this type of procedure.
Viskari states that Crea Nova has only had a few clients whose contents have generated complaints over the years. One of them is a Swiss video service where users can upload content.
“Do you think that Youtube never receives complaints? In this case, the client had rented two servers from us, and they lacked an adequate premoderation procedure for the videos their customers uploaded,” Viskari comments.
According to Viskari, the company reacts to reports on malicious traffic quickly and, for instance, accounts involved with sending spam are closed swiftly.
””I always offer coffee to the NBI.”
He says that he terminates a client relationship due to issues as often as two to five times a month.
“You are wrong if you think that no other data centre has to deal with this. We all deal with the same problems,” Viskari notes.
He states that most of the issues concern their Chinese or US-based customers – not Russians.
How often has the NBI or the police contacted Crea Nova’s clients in the past few years?
“Two to three times this August, for example. Usually, when the NBI or the Finnish Security Intelligence Service (Supo) comes over, one of their officers hands us a note, we dig up our client’s information and let them in the server room. I always offer coffee to the NBI.”
The NBI refuses to comment on individual cases, but the Detective Chief Inspector, Roope Lehto, who is in charge of international exchange of information, shares some general information about the kind of requests they receive from outside the country.
According to Lehto, they received 61 legal requests on cybercrime last year for example. A typical case involves investigating an online scam.
How typical is it to enter a data centre and take their servers, as has happened with Crea Nova?
“It’s not completely unusual. However, it’s not a daily occurrence,” Lehto comments.
Actions depend on the case.
In 2019, Crea Nova made the headlines of IT magazines around the world when one of its client’s servers got hacked. According to a popular VPN service provider, NordVPN, the fault lay with the Finnish data centre that had installed a poorly protected remote desktop application on the server. At the time, Viskari denied Crea Nova’s responsibility.
After a day has passed since our interview, Nikolai Viskari calls us back.
“I’ve closed the [VanwaTech’s] server, it’s over now.”
At the same time, a different scenario is playing out in the Netherlands.
The journalists at the NRC have been in contact with the Dutch data centre and the Russian Vdsina company. Vdsina has stated that it is ending its client relationship with VanwaTech.
With the absence of the Dutch proxy server, it seemed that the traffic was passing again through the Finnish company once again. This alarmed Viskari.
“Yesterday, the site was somewhere else and now it has been transferred to us yet again. As soon as I noticed that, I unplugged the server.”
He sounds relieved.
“This time, we did not receive a request from an official, but as soon as I found out about what was going on, I felt that it was better to have them move elsewhere with their business.”
On Monday 12 September, we meet up with Nikolai Viskari in Pitäjänmäki. Viskari opens the door to the office. At our request, he carries the shut-down server to the door for the HS photographer.
VanwaTech is now demanding the Finnish company to pay them back a little over thousand euros, Viskari says.
“Nick Lim contacted us to ask why we closed down the server.”
You have to go the Internet to see what’s going on on the far-right websites. Both the Daily Stormer and the 8kun forums have crashed. The browser gives an error message “This site can’t be reached”.
American news sites have also noticed that the Neo-Nazi websites have suddenly collapsed. “QAnon’s Jim Watkins Tried to Save Kiwi Farms. Now His Site 8kun is Down,” says the title of a news story in Vice magazine, which speculates that this was caused by a DDoS attack.
They have no idea that a single plug was pulled out at Pitäjänmäki.