International Cloud Data Warrants: How Banks and Investigators Fight for Access to Servers in Third Countries

[Professor]

Introduction: Investigation on the Boundary of Jurisdictions
Modern carding is a crime without borders. The phishing panel operates on a server in the Netherlands, the database is stored in the AWS cloud in Ireland, the organizers communicate via Telegram registered in the British Virgin Islands, and the money is laundered through a crypto exchange in Singapore. The victim is in Moscow. The investigator faces not the technical complexity of the hack, but a legal maze of international jurisdictions. The struggle for access to cloud data turns into a diplomatic and legal duel, where time is of the essence.

Chapter 1: Why Clouds Are the Perfect Refuge and the Main Problem​

Reasons for popularity among criminals:

1. Anonymity and ease of access: Registration for a hosting or cloud service (AWS, DigitalOcean, OVH) often requires only an email address and cryptocurrency.
2. Geographical dispersal: Data is automatically replicated between data centers in different countries. Even if one server is removed, the information could already have migrated to another jurisdiction.
3. Ephemerality: Servers can be deployed and destroyed in minutes. Critical data lasts only as long as needed for the operation.
4. Encryption: Even if a server is physically seized, the data on it is often encrypted and the keys are stored by criminals in another country.

Investigative issue: Sovereignty. Law enforcement agencies in country "A" do not have direct authority to seize data from a server physically located within the territory of country "B." This is a violation of international law.

Chapter 2: The Toolkit: From Diplomatic Notes to Direct Pressure​

1. Mutual Legal Assistance Treaty (MLAT):

• What is it: The primary, most formal, and slowest channel. It's an agreement between countries on mutual assistance in investigations.
• How it works: An investigator in Russia, through the Prosecutor General's Office, submits a request for legal assistance to the competent authority in the country where the server is located (for example, in the US, the Department of Justice). The request must include a justification, references to the Criminal Code, and a description of the required data.
• Timeframe: The process takes from 6 months to several years. During this time, the data will have long since been destroyed and the schema will have been changed.
• Problems: Bureaucracy, language barrier, different standards of proof (“probable cause” in the US vs. “sufficiency of evidence” in Russia), political complications (sanctions, deterioration of relations).

2. Direct requests to Internet companies:

• What is it: Some major tech corporations (Meta, Google, Microsoft) have their own procedures for emergency requests from law enforcement, even without an MLAT, in cases involving an immediate threat to life or terrorism.
• Carding Applicability: Extremely Low. Carding rarely falls under the "emergency threat" category. Companies, fearing privacy breaches, often deny such requests or require a formal MLAT.

3. Evasive maneuvers and technical tricks:

• "Local" exfiltration through a vulnerability: If a server is used to attack citizens of country "A" and it contains a vulnerability that allows remote data acquisition, this could be exploited in a legal gray area. However, such actions could be considered a hacker attack by country "B" itself.
• Pressure through partners: A Russian bank that has suffered an attack from a server in the EU may turn to its European partner (correspondent bank) to pressure local authorities or the hosting provider "on behalf of the business."

4. The role of cryptography and blockchain as a “workaround”:

• Often, investigators, realizing the futility of quickly obtaining data from a server, shift their focus to the financial trail. Analyzing cryptocurrency transfers (cryptoforensics) can lead to real individuals faster than endless MLAT correspondence.

Chapter 3: Case Study: Attack on Bank X via a Server in Amsterdam​

1. Detection: Bank "X" detects a phishing attack leading to the website bank-h[.]com. Analysis shows that the site is hosted on a virtual server hosted by NL-Hosting.net in Amsterdam.
2. First step (unsuccessful): Bank X's direct request to NL-Hosting.net. Response: "We comply with the GDPR and Dutch laws. We will only provide data upon official request from law enforcement agencies through MLAT."
3. Second step (MLAT): Initiation of criminal proceedings in the Russian Federation. Preparation of a request for legal assistance. Translation, notarization, submission to the Russian Prosecutor General's Office, and from there to the Dutch Ministry of Justice. Four months have passed.
4. The criminals' actions over the past four months: The phishing website was shut down two weeks after its discovery. Logs and databases (stolen logins and passwords) were downloaded and deleted from the server. The server itself was destroyed. The lease was registered under a fake passport and paid for with cryptocurrency.
5. MLAT Result: Seven months later, a response arrives from the Netherlands: "The server has been examined at your request. At the time of the examination, no user data related to the incident you requested was found on the server. We have attached a copy of the empty logs."
6. Result: The investigation into this server reached a dead end. Investigators were forced to pursue other leads (for example, analyzing the domain name, domain and hosting payment chains, which led to a crypto exchange in Panama and a new round of international inquiries).

Chapter 4: New Tools and Trends: Cloud Act and Its Analogues​

The US CLOUD Act (2018) was a watershed moment, setting a precedent that other countries are trying to emulate.

• The gist: The CLOUD Act gives US law enforcement the right to demand data from US IT companies (Microsoft, Google, Amazon) regardless of the country in which the data is physically stored. Conversely, it allows the US to fulfill similar requests from "allied" countries directly to the companies, bypassing the US government.
• Meaning: This is an attempt to "denationalize" data and tie jurisdiction to the place where the company is registered, rather than where the servers are stored.
• Implications for carding: If a phishing website operates on AWS and the victims' data is stored in its S3 instance in Dublin, a US court can compel Amazon to provide this data upon request from the FBI. This expedites the process for cases involving US companies.
• Russia's response is the "Sovereign Internet Act" and data localization requirements: Russia, China, and other countries are retaliating by tightening requirements for storing their citizens' data on their territory, exempting it from laws like the CLOUD Act. This creates new "digital fortresses" that criminals can exploit by locating infrastructure in countries that don't cooperate with their victims.

Chapter 5: Bank and Private Investigator Tactics​

Understanding the cumbersome nature of government MLAT procedures, banks and private cybersecurity companies (Group-IB, Positive Technologies) have developed their own tactics:

1. Forensic Preservation: Upon detecting an attack, they immediately and independently (using technical means) capture all possible evidence: they take screenshots, save the source code of the phishing page, cache DNS records, and record SSL certificates. This data, collected "from the outside," already constitutes evidence, requiring no request to the hosting provider.
2. Pressure through reputation and TOS: Private experts are sending large numbers of complaints to hosting providers and domain registrars for violating their Terms of Service (TOS). Selling hosting for phishing purposes is a TOS violation. This can lead to a quick blocking of the resource while the slow MLAT process is underway.
3. Global monitoring and proactive warning: Creation of malicious infrastructure databases (IP addresses, domains, SSL fingerprints). When a new blacklisted server is detected, potential victims and partners can be quickly notified.

Conclusion: A never-ending game of cat and mouse in the legal field.
The battle for cloud data in carding investigations is a clear illustration of how technology has outpaced the law. Criminals are quickly exploiting gaps in jurisdictions, and the international legal aid system hasn't kept up with the speed of the digital world.

A new reality is emerging, where the success of an investigation depends not only on the skill of the investigator, but also on:

• Reaction speed and the ability to collect evidence before it is destroyed.
• The existence of new types of international agreements (such as the CLOUD Act) and the political will of countries to cooperate.
• Public-private partnerships, where banks and cyber firms become the "first responders," and government agencies are involved in sanctions and detentions.

Until the international community develops unified, fast, and effective mechanisms for cross-border access to digital evidence, cloud servers in "third countries" will remain safe havens for digital pirates. This legal arms race is one of the key fronts in the war against cybercrime.