A group of websites posing as local media outlets in Luxembourg, Poland and Ukraine publishes fake stories, reputational attacks and recycled “dossiers” targeting businessmen and public figures from Eastern Europe. Responses from Cloudflare Trust & Safety, reviewed by our newsroom, point to the same hosting provider behind a number of these domains: Private Layer INC.







At first glance, these websites appear to have nothing in common.
One calls itself Luxembourg Herald, promising “fresh news from the heart of the Grand Duchy of Luxembourg.” Another — Warsaw Point — presents itself as an English-language outlet covering “life in the Polish capital and beyond.” Others mimic Ukrainian local or regional news organizations, including Navarti, Obriy, Uzhgorodka, Posmotrim, and RKM.
Different names. Different countries. Different purported audiences.
But responses from Cloudflare Trust & Safety tell a different story. For an entire cluster of these domains, Cloudflare identifies the same hosting provider — Private Layer INC, with the abuse contact listed as [email protected].
The domains identified include 15 websites: luxherald.com, warsawpoint.com, navarti.in.ua, obriy.news, uzhgorodka.uz.ua, posmotrim.com.ua, rkm.kiev.ua, rp.rv.ua, nabludatel.od.ua, penza.press, sokalinfo.com, birsk.org, w-n.com.ua, ossetia.tv, and trinitybugle.com. In every case, Cloudflare stated that the complaint had been forwarded to both the website owner and the relevant hosting provider. The host identified by Cloudflare was always the same: Private Layer.
Cloudflare’s findings do not, by themselves, prove that all of these websites are controlled by the same owner. They do, however, share one defining characteristic: they are not genuine media outlets but imitations of media. Opaque “newsrooms” with fictitious authors, no physical addresses—or, in some cases, even editorial email contacts—recurring targets of publication with little connection to legitimate journalism, and a documented history of publishing false or misleading stories.
Taken together, these findings raise a far more significant question: is Private Layer merely a passive hosting provider, or has it effectively become the infrastructure backbone for a network built around reputational attacks and digital extortion?
Infrastructure Behind the Masks
According to its website, Private Layer presents itself as a provider of secure hosting services operating under Swiss jurisdiction. The company advertises its own AS51852 network, dedicated servers, VPS infrastructure, and multiple payment options, including cryptocurrency.
Privacy-focused hosting is not unlawful in itself. Journalists, human rights advocates, businesses and civil society organizations may all have legitimate reasons to seek secure hosting infrastructure.
In this case, however, the same infrastructure repeatedly appears behind websites that do not behave like legitimate news outlets. Their pattern is markedly different: they publish aggressive “investigations,” sensational allegations and recurring narratives involving Russian money, gambling, offshore structures, corruption, sanctions, criminal networks and alleged “ties to the Kremlin.» Their apparent function is often not to inform a local audience, but to flood Google search results with negative content associated with a specific individual’s name.
That is precisely why the role of the hosting provider becomes central to this story.
Formally, a hosting provider is not a newsroom and is not responsible for every word published by its customers. But this is not a story about a single rogue website or an isolated complaint. The responses from Cloudflare show that complaints concerning multiple domains with strikingly similar content patterns were consistently forwarded to the same hosting provider — Private Layer. That raises a broader question: why did infrastructure provided by Private Layer remain, for years, a safe haven for websites exhibiting hallmarks of fake news, reputational extortion and coordinated SEO attacks?
Luxembourg Herald: A Long-Running Fake News Brand That Is Still Active
One of the most revealing nodes in this network is Luxembourg Herald.
The website presents itself as a Luxembourg-based news outlet. Its homepage features the standard sections one would expect from a mainstream publication — Finance, World, Politics, Opinion, Life & Arts, and Health. Yet its flagship stories bear little resemblance to local journalism in Luxembourg. Among its prominent publications are articles targeting Andriy Verevskyi, the owner of the Ukrainian agribusiness company Kernel; Latvian lawyer Juris Vanags; Ukrainian energy businessman Oleksandr Katsuba; and a number of other figures who are strikingly unusual subjects for what claims to be a Luxembourg news outlet.
It appears absurd—but hardly accidental. In reputational warfare, Luxembourg is a powerful label: Europe, finance, the rule of law and credibility. A story published under the Luxembourg Herald brand can later be cited, without close scrutiny of its origin, as an ostensibly independent European publication.
But Luxembourg Herald also has a history—and it is a revealing one.
In November 2017, Krym.Realii / Radio Free Europe/Radio Liberty debunked a Luxembourg Herald article claiming that Ukrainian lawyer Andriy Dovbenko had been abducted by unidentified men in uniform. The website alleged that Dovbenko had been kidnapped. Radio Free Europe/Radio Liberty contacted Dasha Zarivna, whom Luxembourg Herald had identified as both its source and Dovbenko’s wife. She rejected the story, stating that she was no longer editor-in-chief of L’Officiel and had long since ceased to be Dovbenko’s wife. Dovbenko himself confirmed that he was safe and described the publication as “a bizarre fake.”
A week earlier, Luxembourg Herald had published another story alleging that Maryna Poroshenko, the wife of then-President of Ukraine Petro Poroshenko, was involved in the theft of humanitarian funds intended for children with disabilities.
That false story later became the original source for a broader disinformation campaign by Russian media targeting Petro Poroshenko, with Russian outlets subsequently amplifying the allegations.
In 2026, Luxembourg Herald resurfaced in the international spotlight following an attack on former NATO Deputy Secretary General Mircea Geoană. Responding to the allegations, Geoană described the Luxembourg Herald article as “obviously fake” and referred to the outlet itself as “a phantom website” specializing in fake news.
In other words, Luxembourg Herald is not merely another suspicious website. It is a brand with a documented history of publishing fake news. And it remains active to this day.
Warsaw Point: A Polish Facade with a Post-Soviet Target List
The second key website in the network is Warsaw Point.
Its branding suggests a local English-language news portal focused on Poland. The website features sections such as News, Politics, Economics, Persons, and Culture. However, the Persons section reveals a very different purpose. Alongside neutral biographical profiles and filler content, it contains a series of aggressive articles targeting individuals from Kazakhstan, Latvia, Ukraine and the wider post-Soviet region.
Among Warsaw Point‘s publications are attacks on Timur Tokayev, the son of Kazakhstan’s president, as well as a series of articles about the aforementioned Juris Vanags, whom the site links to narratives about “Kremlin money” and money laundering.
The question is not only whether every allegation in these texts is false. The deeper question is why an English-language “Warsaw” website is serving as a repository for dossiers against non-Polish figures, often in language that resembles black PR more than journalism.
This is one of the network’s core mechanisms: European geography serves as a mask of credibility.
In this story, Luxembourg and Warsaw are more than just cities. They function as brands that allow reputational attacks to masquerade as reporting by independent European media outlets.
One Dossier, Two European Masks
The case of Juris Vanags illustrates this mechanism particularly well.
In December 2024, Warsaw Point published an article alleging that Juris Vanags had orchestrated an international money-laundering scheme involving what it described as “Kremlin money.» The article referenced the Polish prosecution service, shell companies, €70 million, Russian oligarchs, two alleged Polish accomplices, and Vanags’ purported flight from justice. It also portrayed him as a pro-Russian, “Stalinist” figure in Latvia.
Luxembourg Herald later published a strikingly similar article: the same core narrative, the same €70 million figure, the same references to the Polish prosecution, the same shell companies in Poland and Latvia, and the same framing around “Kremlin money” and Russian clients.
The effect is obvious. A single dossier can be republished under two different European media identities—one Polish and one Luxembourgish—creating the illusion of independent corroboration.
This is the logic of information laundering: the origin of an allegation becomes less important than the impression that it has been reported by “multiple independent European media outlets.”
Yet this is also where the network reveals its own weakness. Articles based on the same underlying drafts appear on two supposedly unrelated platforms operating from different parts of Europe, exposing a level of coordination that undermines any claim of editorial independence.
Ukrainian, Russian and Irish-Cypriot Local Fronts
The European façades are only one part of the system.
Cloudflare’s responses also identify Private Layer as the relevant hosting provider for a number of Ukrainian local and regional domains, including navarti.in.ua, obriy.news, uzhgorodka.uz.ua, posmotrim.com.ua, and rkm.kiev.ua. The same applies to ossetia.tv and trinitybugle.com, which present themselves, respectively, as “an established publication” covering events in Ossetia, a region of Russia, and as “the leading source of news and information for Ireland and Cyprus“.
These websites present themselves as local or niche news outlets. Yet their apparent function is remarkably similar: to publish, replicate, repackage or amplify reputation-focused content. Their branding creates the impression of local legitimacy. Their underlying infrastructure, according to Cloudflare’s responses, leads back to the same hosting provider.
The role of these websites is to function as components of a larger network. Online reputational pressure is not created by a single article—it is created by volume. A person searches for their name on Google and is confronted with a collection of seemingly “independent” websites repeating the same allegations. The target is no longer facing an isolated publication, but an artificially constructed media ecosystem.
A network like this does not need to convince every reader. It only needs to poison the search results.
How the Extortion Model May Operate
Victims of such networks, as well as researchers who investigate them, describe a broadly similar operating model.
The process typically begins with an aggressive “investigation” published on a single website. Similar articles are then republished, rewritten or mirrored across other platforms. The same names, allegations and emotionally charged labels are repeated across multiple domains. Search engines index this content, and the name of an individual or company gradually becomes associated with crime, Russia, sanctions, offshore structures, gambling or corruption.
The pressure begins after that.
In some cases, attempts to remove or correct such material reportedly lead victims to opaque communication channels, anonymous email addresses, intermediaries or offers to “resolve the issue.” Payment may be requested in cryptocurrency or through other difficult-to-trace channels.
We do not claim that every website within this cluster has directly demanded payment. However, the combination of fake local media branding, toxic SEO-driven content, opaque editorial structures and resilient hosting infrastructure creates the technical conditions in which such a model can operate.
Why the Hosting Provider Matters
Hosting providers are not newsrooms. Nor do they purport to be. They do not write their clients’ articles, and in most cases they cannot reasonably pre-screen or moderate every piece of content hosted on their infrastructure.
But they do have abuse departments. They receive complaints. They decide whether to continue providing services to customers who repeatedly become the subject of allegations involving defamation, impersonation, copyright infringement, fraud or extortion.
“That is precisely why the Cloudflare correspondence matters.”
In cases like these, Cloudflare often acts as an intermediary. While it may proxy or protect a website, it forwards abuse complaints to both the website owner and the underlying hosting provider. In the responses reviewed by our editorial team, Cloudflare repeatedly identified the same hosting provider: Private Layer INC.
If Private Layer received repeated complaints concerning multiple domains exhibiting similar patterns of conduct, one central question becomes unavoidable:
Was Private Layer simply unable to conduct adequate due diligence on problematic customers, or did it knowingly provide a safe-haven infrastructure for a coordinated network engaged in digital extortion?
It is a question that Private Layer should answer.
A European Problem
This is not merely a Ukrainian story. Nor is it simply a story about a handful of questionable websites.
The network exploits European identities—Luxembourg, Poland and Switzerland—to give reputational attacks the appearance of legitimacy. A fake or phantom local news outlet becomes the original source. Other websites then cite that source. Repetition begins to resemble independent confirmation. Google search results become a form of punishment.
The targets are often individuals from Eastern Europe. Yet the infrastructure, branding and institutional façades are European. That is precisely why this is a European problem: it concerns the accountability of hosting providers, the integrity of search, the abuse of local journalism, and the rise of cross-border digital extortion.
People targeted by such campaigns often have no way of knowing who wrote the original article, who owns the website, where its operators are physically located, or who is ultimately being paid for the publication. Yet the content remains online. The search results remain polluted. And the hosting provider continues to supply the underlying infrastructure.
Private Layer should answer a number of important questions:
- Does, or did, Private Layer provide hosting infrastructure for com, warsawpoint.com, navarti.in.ua, obriy.news, uzhgorodka.uz.ua, posmotrim.com.ua, rkm.kiev.ua, and the other domains identified in this investigation?
- Has Private Layer received abuse complaints concerning these domains from Cloudflare or other complainants?
- What actions, if any, did the company take after receiving such complaints?
- Does Private Layer conduct due diligence on customers who become the subject of repeated complaints involving defamation, impersonation, copyright infringement, extortion or coordinated abuse?
- Has the company ever suspended any of these domains, warned their operators, or conducted internal compliance reviews?
- Were hosting services for any of these domains paid for using cryptocurrency?
- Are any of these domains associated with the same contractual customer or with a group of related customers?
- Does Private Layer deny having any knowledge of coordinated activity involving these websites?
At the time of publication, Private Layer had not responded to our request for comment.
Questions for Cloudflare and Google
Cloudflare should also clarify whether it has received repeated complaints concerning these domains and whether it has identified indicators of coordinated abuse.
Google, for its part, should answer a different question: how does its search engine deal with networks of low-transparency websites that appear to exist primarily to generate negative search results associated with individuals’ names?
This is where the story extends beyond individual acts of defamation. Such a business model can function only if search engines reward repetition and infrastructure providers allow these websites to remain online.
The websites in this network do not all look alike. Perhaps that is precisely the point.
A Luxembourg façade. A Warsaw façade. Ukrainian local façades. Different domains, different names, different purported audiences. Yet the responses from Cloudflare’s Trust & Safety team repeatedly point to the same hosting provider.
While shared hosting infrastructure alone does not establish common ownership, the recurring infrastructure, the repeated content patterns and the apparent coordination described in this investigation raise serious questions about whether these websites may be operating as part of a broader, coordinated network. The same infrastructure enables phantom media outlets to publish reputational attacks, replicate dossiers, withstand complaints and pollute search results.
This is not merely a story about fake websites.
It is a story about the infrastructure that enables reputational abuse.
And at the center of that infrastructure stands a question for Private Layer: How many warnings must a hosting provider receive before ignorance gives way to complicity?













