No KYC, ever
01An email address is all we ask at signup — and a disposable one works. No ID scans, no "selfie with document," no proof of address, no real-name requirement. You could be [email protected], and we'd still sell you a server.
Cryptoservers is an offshore hosting company built around a single refusal: we won't become the middleman between you and a government that doesn't like what you think. We sell compute, network and storage — not compliance theatre. No KYC, no logs, crypto only, DMCA notices go in the bin.
Somewhere between 2013 and 2024, the default of the web flipped from "publish it and own it" to "prove who you are, please." We noticed. So did most of our customers.
The first decade of commercial cloud hosting ran on an implicit bargain: you bought compute with a credit card, and the provider stayed out of the way. The provider wasn't a co-author of your content. The provider wasn't a detective. The provider wasn't a notary.
That bargain fell apart in public and at speed. Cloudflare deplatformed forums on the evening news. AWS terminated accounts based on Twitter mobs. Hetzner banned Tor relays. OVH and DigitalOcean began handing over account metadata to whichever authority wrote the most persuasive email. Stripe made its content policy a press release. The KYC wave — driven by a patchwork of EU AMLD, FinCEN guidance and UK PSD rules that technically apply to banks — ate the hosting industry anyway, because lawyers don't do nuance and finance officers don't do risk.
We were the engineers patching the VMs while this happened. We watched customers we'd known for a decade migrate from "just send us the server" to "please fax a utility bill." We watched Tor exits disappear from region after region. We watched a serious investigative outlet get its whole stack ripped out overnight because a payment processor's compliance tool flagged an adjacent keyword.
The market needed somewhere to go. So, on the first of May 2024, in a small office in Charlestown, Nevis, we built it.
This company's thesis is older than this company. It has a face, and it has a name. He was in handcuffs at Le Bourget airport while we were drafting our Terms of Service.
In 2006, at 22, Pavel Durov co-founded VK — Russia's equivalent of Facebook — at a moment when Moscow was still pretending to tolerate civil society. In 2011, when the FSB ordered him to shut down VK groups organising protests against vote-rigging, he refused. In 2014, when the FSB demanded the personal data of Euromaidan organisers in Ukraine, he refused again and posted the order, stamped, on his public profile.
He was fired the next day. He left Russia with a suitcase, a brother, and a roadmap: a communication platform that would be structurally incapable of delivering what he had just refused to deliver. That became Telegram.
Telegram was self-funded from Durov's crypto holdings for nearly a decade — no venture capital, no ads, no growth hacks — because Durov thought (correctly) that the ad-supported model was the mechanism by which user-hostile behaviour enters a social product. He adopted citizenship of Saint Kitts and Nevis as part of a multi-passport strategy designed to make unilateral state coercion harder. Then of the UAE. He set the company up in Dubai.
In August 2024, he was arrested at Paris–Le\u{a0}Bourget airport and later indicted for — stripped of legal jargon — failing to hand over enough of his users. He spent a period under judicial supervision in France, refused the deal that would have let him leave, and came out of the case with his operating posture unchanged. Telegram has not added a CEO-accessible backdoor. It has not added mass KYC. It has not handed over message content to any government we are aware of, before or after the arrest.
We are a hosting company, not a messenger. We have no illusions about operating at Telegram's scale or its visibility. But the lesson is portable: you can build an infrastructure product that refuses, and refuse in public, and survive. We took notes.
Privacy is not something to apologise for. It's not a perk you give your users in return for their loyalty. It's a right — and on a planet with seven billion phones, it's also a protocol you build into a product or watch evaporate.
Everything below is a commercial decision with operational consequences. None of it is marketing copy. If any of the six ever flips, we'll say so on the warrant canary before we say so here.
An email address is all we ask at signup — and a disposable one works. No ID scans, no "selfie with document," no proof of address, no real-name requirement. You could be [email protected], and we'd still sell you a server.
None of our jurisdictions give the US DMCA legal force. We log every notice received, anonymised, onto the warrant canary for transparency — then we take no action against the customer's content. Court orders from competent jurisdictions get a different reply.
Invoices settle in Monero, Bitcoin, Litecoin, Ethereum, Dash, BCH or Dogecoin. No Stripe, no PayPal, no bank wires, no cards. Fiat rails mean intermediaries with their own compliance appetites — and none of them are on our side.
Panel session IPs purged at 24 h. No netflow, no PCAP, no NIC mirroring, no ARP/MAC retention beyond what a healthy switch needs. Nothing we don't need to start the next request. If we don't have it, we can't hand it over.
Every support message that matters — abuse, legal, security, billing disputes — comes signed with the same key that signs our canary. Verify the signature, and you verify it came from us and not from a court-ordered ghost operating on our infrastructure.
The canary is re-signed weekly with a key we keep offline. Gag orders we cannot disclose directly show up as missing or late signatures. If we go silent, we've been compelled. Act accordingly.
None of these events is about us. All of them shaped why we exist.
Bulk collection stopped being an internet rumour. Every serious infrastructure team in the world rewrote their threat model over that summer. Most forgot by 2016. We didn't.
Pavel Durov posts the FSB's request for Euromaidan organisers' data on his public profile, and is ousted from VK the next day. He leaves Russia with the Telegram roadmap. The template for refusal-as-product was set.
Roskomnadzor orders Telegram to hand over message encryption keys. Telegram refuses, gets blocked in Russia for 2+ years, survives, and the block is quietly rescinded without concession. Infrastructure providers take note: state pressure can be outlasted.
Hetzner, OVH, DigitalOcean, Linode begin tightening identity requirements. Crypto payment options vanish one by one. Compliance teams quietly add "real name verification" to onboarding flows. The space for anonymous hosting contracts by an order of magnitude.
Six operators pool their savings, buy rack space in Reykjavík, AMS, Bucharest and Zurich, and publish a warrant canary on day one. The company is C 59284-2024. The jurisdiction is deliberate: the same federation that issued Durov a passport.
The French state indicts a billionaire platform operator for, essentially, refusing to police his users. The message to infrastructure providers is unmistakable. Our response is to publish our principles in larger type, and keep operating.
Four offshore datacenters, a handful of thousand customers, six operators across three timezones. No KYC handed over, no DMCA actioned, no log retained beyond what the service needs to run. We'll tell you on the canary if that ever changes.
Corporate in a country that minds its own business. Infrastructure in four countries picked for one criterion — a court order is a document, not an email.
A federation of 67,000 people in the Eastern Caribbean, with a constitutional free-speech guarantee, no mutual legal assistance treaty with the US that bypasses local judicial review, and a legal tradition (English common law via the Eastern Caribbean Supreme Court) that takes corporate sovereignty seriously.
Our company secretary is a licensed Nevisian law firm. Our operating books are audited annually. Our Article 18 declaration — the one that says we will not voluntarily hand over user data outside a Saint Kitts court order — is filed, signed, and public.
This is the same jurisdiction that issued Pavel Durov a passport. We picked it independently, for the same reasons he did.
Six operators, three timezones, no photos. Collectively around forty years of infrastructure experience and twenty of privacy engineering. We identify to each other by PGP fingerprint, and to the Nevisian company secretary by legal name, and to nobody else.
This isn't paranoia. It's threat-model-appropriate. The point of a provider like this is that an adversary cannot compromise the operators any more easily than they can compromise the customers.
An email address — even a disposable one — gets you an invoice. A Monero confirmation gets you SSH credentials. The rest is up to you.