Spamhaus became aware that the main Wikileaks website, wikileaks.org, was redirecting web traffic to a 3rd party mirror site, mirror.wikileaks.info. This new web site is being hosted in a very dangerous "neighborhood", Webalta's 92.241.160.0/19 IP address space, a "blackhat" network which Spamhaus believes caters primarily to, or is under the control of, Russian cybercriminals. Further Spamhaus stated that the Webalta 92.241.160.0/19 netblock has been listed on the Spamhaus Block List (SBL) since October 2008. Spamhaus regards the Russian Webalta host (also known as Wahome) as being "blackhat" - a known cybercrime host from whose IP space Spamhaus only sees malware/virus hosting, botnet C&Cs, phishing and other cybercriminal activities. These include routing traffic for Russian cybercriminals who use malware to infect the computers of thousands of Russian citizens. Spamhaus also notes that the DNS for wikileaks.info is controlled by Webalta's even more blackhat webhosting reseller "heihachi.net", as evidenced by the DNS records for the domain. Spamhaus finally finds some very clear words: The site data, disks, connections and visitor traffic, are all under the control of the "Heihachi" cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.
 
Thus some things can be assumed by now: someone has control over wikileaks.info and wikileaks.org who is not the one in charge of wikileaks.ch which is meant to be the new official website. Most likely these people are now retaliating by using their botnets to DDoS Spamhaus under the flag of Anonymous which then was (falsely) imagined to become "AnonOps". Maybe some of the people who call themselves Anonymous may also be participating in the DDoS against Spamhaus; which however is unclear at present. It further can be assumed that wikileaks.ch is the real website since Spamhaus has not yet issued a warning about it. Also Simonet Denis a Pirate Party of Switzerland member recently registered wikileaks.ch (four A-Records, one IP is 46.59.1.2). Unfortunately the "real" Wikileaks website does not use trusty SSL certificates. Meanwhile someone on Slashdot apologized for the SSL issue and mentioned that the "official" Wikileaks people have not yet identified a signing authority that they feel confident with. The same person also said that he cannot speak for any of the Wikileaks-specific issues, such as document submission or the status of the wikileaks.org website.
 
It seems now that Anonymous performed the attack on Spamhaus and must be considered a false flag operation and these bad guys should be called "AnonOps" and treated as such. However this is not correct! From that angle of view it is also quite unlikely that the attackers are a bunch of young hackers with no idea what they are doing and so it's also probable the recent Amazon DDoS plan was simply a red herring. Moreover we have to understand that there is a problem with organizations like Anonymous, AnonOps and especially Heihachi with no inherent structure or visible chain of command -- they can hardly be distinguished and thus hardly be antagonized. This leaves us with one question: "Wow can we effectively protect ourselves in the first place and then fight this threat?" The Spamhaus people stated something on their website very clearly: "It now appears far more likely that the DDoS was the work of people running, or hosting at, the Heihachi cybercrime group. Possibly they were angered by the attention this article brought to their dirty section of the internet." -- This should make us aware of what the real danger to the public is if they go that far to achieve their aim.