WHOIS thinks that block (220.127.116.11/20) is owned by DDOS-GUARD CORP, and the listed responsible party is Evgeniy Marchenko, who is one of the two owners of DDoS Guard. The registered address is in Belize.
The other listed physical address is in Ecuador. The only listed email address is email@example.com.
Neustar’s geoip database thinks the IP address is in Belize (and it’s probably just using the WHOIS information for that).
The trail goes cold at 18.104.22.168. That’s clearly a proxy hosted by DDoS Guard and we don’t actually know anything about where the static page is being hosted. I would bet its on one of Epik’s servers.
They don’t have a backend built out. They did manage to recover all their data from AWS. A month to get back online screams incompetence (given that they have hosting and their data).
There isn’t great evidence that any of the servers are located in the Russian Federation. There is evidence that their front door is managed by citizens of the Russian Federation. And that that company has a pretty weird/questionable legal registration.
Their DNS provider is US company, and its front door has an IP address listed as located in London.
Both Epik and DDoS Guard have very checkered reputations and a very ugly list of customers.
I’m betting their backend does wind up in Russia, but right now, Vickery is being way more confident in his claims than I can find public evidence for. And, FWIW, my professional creds are about as good as his. I’m an SRE with a sub specialty in security engineering. He’s a manager of a security research group. They might have something I haven’t uncovered, and they might be spending more time on it. Or he’s overselling the DDoS Guard Russia connection ¯_(ツ)_/¯