CryptoServers
Launch server
DMCA-ignored hosting explained: what it actually means, legally and operationally
Legal explainer

DMCA-ignored hosting explained: what it actually means, legally and operationally

By Cryptoservers Engineering 10 min read

"DMCA-ignored hosting" is one of the most misunderstood phrases in the offshore hosting market — half marketing slogan, half load-bearing legal claim. This guide unpacks what it actually means under statute, what every offshore host can credibly promise, what nobody can promise, and how the takedown workflow really runs when a notice arrives.

Start reading Skip and deploy
No KYC, ever DMCA ignored No traffic logs Live in 60 seconds

The one-sentence answer

The US Digital Millennium Copyright Act of 1998 is US federal statutory law. Its safe-harbour and notice-and-takedown provisions (17 U.S.C. § 512) bind providers that fall under US jurisdiction; they have no extraterritorial force on a hosting company incorporated and physically operating outside the United States. A host in Saint Kitts and Nevis, Iceland, Switzerland or Romania can read a DMCA notice, file it, and decline to act on it — and that refusal is consistent with the law, not in spite of it.

What "DMCA-ignored" does NOT mean: that the host ignores all copyright claims, that local court orders carry no weight, or that explicitly criminal content (CSAM, credible threats, identity theft material) gets a pass. It means specifically that a US-style takedown notice — sent by email or webform without a court — does not trigger removal.

Why the DMCA does not apply outside the US

Statutes are bounded by jurisdiction. The DMCA is part of Title 17 of the United States Code; it confers safe-harbour protection on US-based service providers that follow its takedown procedure, and it imposes obligations on those same US providers. A non-US provider has neither the protection nor the obligation. Cryptoservers Ltd., for instance, is incorporated in the Federation of Saint Kitts and Nevis under company registration C 59284-2024; it does not register a DMCA agent with the US Copyright Office because it is not a service provider under § 512(k)(1).

Rights-holders sometimes argue that an offshore host "benefits from" the US market when its users are American. That argument is not supported by case law. In every leading transnational copyright case, the courts have required either physical presence (offices, employees, servers) in the US or specific targeting (advertising aimed at US users, US-currency pricing) before asserting personal jurisdiction. A host that does not advertise in the US, does not bill in dollars-and-cards, and operates infrastructure exclusively outside the US has no exposure to US copyright statute.

The question is sometimes confused with copyright itself. Copyright is recognized internationally via the Berne Convention — every Berne signatory protects works originating in other Berne signatories. But Berne harmonises substantive rights, not procedure. The DMCA's takedown procedure is a US procedural mechanism; Berne does not require any other jurisdiction to mirror it. The closest EU analogue is the eCommerce Directive (2000/31/EC), which sets a notice-and-action regime for hosting providers but with materially higher procedural thresholds than § 512.

What every offshore host CAN credibly promise

Refusing to honour US-style takedown notices: yes, in writing, with a reply confirming the notice was received and read but no action will follow. Most offshore hosts maintain a public stance page (we keep ours at /dmca/) so the position is unambiguous before a customer signs up.

Refusing to identify the customer based on a takedown notice alone: yes. A notice is not a subpoena. Even providers that DO honour DMCA in the US do not unmask customer identity without a § 512(h) subpoena — and in 2003 the DC Circuit ruled in Verizon v. RIAA that § 512(h) subpoenas don't apply to the kind of conduit-only providers most hosting companies actually are anyway.

Resisting fishing expeditions from rights-holder enforcement firms: yes. The standard playbook from firms like Rightscorp, MarkMonitor and the various IP boutiques is to send hundreds of templated notices and see which providers fold. Offshore hosts maintain a documented internal procedure that converts every such notice to an automated reply pointing at our jurisdictional posture and our /abuse/ page — no human handling required for typical IP enforcement spam.

Honouring valid court orders from courts of competent jurisdiction: yes, and unambiguously. A Nevisian court order, a Swiss court order, a Romanian court order, an Icelandic court order — these have legal weight where the host operates and will be respected. Romania's Constitutional Court has twice (2009 and 2014) struck down EU data-retention obligations as incompatible with the Romanian constitution, which sets the bar even higher there. The threshold is "valid order from a court that has jurisdiction over us," not "any court anywhere."

What no host — offshore or onshore — can promise

Immunity from criminal investigations. Local law enforcement in the host's jurisdiction can issue search warrants, seizure orders, or production orders for serious criminal matters under their own statutes. Every offshore host respects these, because doing otherwise would lose the company its operating licence within months. The trade-off is that the legal threshold is much higher than a takedown notice — typically requiring a judge-signed warrant supported by probable cause of a specific crime.

Immunity from network-level interception. ISPs and tier-1 transit providers in the host's region operate under their own local lawful-interception regimes. We mitigate this with TLS-everywhere, WireGuard between PoPs, and a no-content-logging policy — but we cannot promise that a determined nation-state actor with backbone access cannot observe encrypted traffic flows.

Immunity from CSAM enforcement. Every jurisdiction we operate in (Iceland, Netherlands, Romania, Switzerland, Nevis) treats child sexual abuse material as a serious crime with extraterritorial enforcement and full international cooperation. CSAM is the one universally prohibited category in our Acceptable Use Policy and the one category that gets removed within hours of any credible report — we report to NCMEC and the relevant national authority regardless of where the customer claims to be.

Immunity from sanctions. OFAC sanctions, EU sanctions, UK sanctions and equivalent regimes apply at the payment-rail level, not the hosting level. Because we don't accept fiat, we don't have a bank to enforce sanctions through, but customers in sanctioned jurisdictions still bear their own legal risk under their own national law.

How a takedown notice actually flows on offshore infrastructure

Step 1 — the notice arrives at a public email like abuse@ or dmca@. Our ingestion automation parses the From, the alleged URL, and the asserted rights-holder. If it matches the templated DMCA pattern (most do — they're mass-produced), it goes into a tagged queue; if it doesn't, a human triages it within 4 hours during business windows.

Step 2 — automated reply within minutes. We send back a clean explanation: where we're incorporated, what statute applies, why DMCA does not bind us, and where to escalate if the rights-holder believes a Nevisian or other in-jurisdiction process is appropriate. This is signed with our PGP key so the rights-holder can verify it actually came from us, not a forgery.

Step 3 — the notice is filed. We keep an internal log of every notice received, the URL it pointed at, and the date — partly for our own audit, partly because if a court ever does take an interest, we want to demonstrate that we received and read the notice and chose not to act based on a documented legal position. Customers can request a copy of any notice that named their resource through the panel.

Step 4 — typically nothing more happens. The vast majority of mass-produced takedown notices end at step 2. The rare cases that escalate go to the rights-holder's local counsel, who then has to either pursue a Nevisian court order (expensive, slow, and rarely worthwhile for a single-piece-of-content matter) or send a formal letter to the customer themselves, which they can do directly without our involvement.

When DMCA-ignored stops mattering

If your concern is large-scale commercial copyright infringement at industrial volume — running a streaming pirate site monetised by ads, for example — DMCA-ignored hosting is a thin reed. Rights-holders will pursue domain seizure (via ICANN-accredited registrars in the US/EU), payment-processor pressure, and reverse-DNS reporting to put your operation under sustained pressure that no amount of jurisdictional posture can wholly deflect. We are explicit in our AUP that this kind of operation is outside our risk tolerance regardless of the legal merits.

If your concern is whether a single DMCA-style notice will take down your blog post, your forum thread, your privacy-tool source repository, your Tor exit relay's resolver page, or your political content: DMCA-ignored is exactly the right tool. The vast majority of takedown notices we see fall in this bucket — boilerplate, templated, often factually wrong, and frequently aimed at material that wouldn't even be infringing under US fair-use doctrine if a US court ever looked at it.

How to evaluate whether a host is actually DMCA-ignored

Check the corporate registry. A real offshore host will name its incorporation jurisdiction on its terms page and link to a public registration number. "DMCA-ignored" with a US C-corp behind it is marketing fiction.

Check the datacenter footprint. Servers physically located in the US fall under US jurisdiction regardless of where the corporate parent is registered. Look for explicit datacenter addresses in non-US locations (Iceland, the Netherlands, Romania, Switzerland, Cayman, BVI, Malaysia all show up in legitimate offshore hosting; "global edge" with no addresses listed is a red flag).

Check the policy page. A serious offshore host publishes a documented stance page (ours is /dmca/ + /abuse/) that describes exactly what gets ignored and what gets acted on. "We respect customer privacy" is not a stance; "We do not honour DMCA notices because § 512 has no extraterritorial force" is a stance.

Check the payment rail. A host that requires KYC and a credit card has a US/EU payment processor in the loop, and that processor has its own takedown leverage that the host can't refuse. Crypto-only hosting cuts that lever entirely — there is no Stripe to pressure.

Bottom line

DMCA-ignored hosting is a real legal posture, not a gimmick — but it's load-bearing only for the specific category of US-style copyright takedown notices it names. It does not insulate against criminal investigations, against valid court orders, or against rights-holder pressure on adjacent infrastructure (domains, payment, DNS).

If your threat model is "a templated takedown notice will silence my speech tomorrow," offshore + crypto-billed + DMCA-ignored is the right architecture. If your threat model is broader than that, no single legal posture is sufficient — you need defence in depth across hosting, domain, payment, and operational security.

Quick answers

Frequently asked

Is DMCA-ignored hosting legal?
Yes. The DMCA is US statute; it has no extraterritorial force on providers operating outside the US. A non-US host that does not honour DMCA notices is not breaking US law — they're outside its scope entirely. They are also not breaking the law of their own jurisdiction, which has its own (often more rigorous) procedures for handling copyright complaints.
Can rights-holders sue an offshore host in a US court?
They can file, but personal jurisdiction is the gating issue. US courts require either physical presence (US offices, US employees, US servers) or purposeful availment (advertising targeted at US users, US-currency pricing). A host that does none of those things is generally outside US personal jurisdiction. Some rights-holders pursue novel theories ("the host benefits from US visitors") but these have not been successful in published case law.
What happens if a US court issues an injunction against my content?
A US injunction binds parties under US jurisdiction. An offshore host that is not a party to the case and is not under US jurisdiction is not bound by it. Rights-holders typically respond by pursuing domain seizure (via ICANN registrars), search-engine de-indexing requests (via Google's removal form), or payment-processor freezes — not by trying to enforce against the host directly.
Will a DMCA notice get my account terminated?
On Cryptoservers: no. We do not terminate, suspend or restrict accounts based on takedown notices that fall in the DMCA-style bucket. The notice is logged, you receive a copy through the panel, and the matter is closed unless it escalates to a valid court order from a court that has jurisdiction over us — at which point we would notify you, give you reasonable opportunity to respond, and act on the order if it's binding.
Are Tor exit relays, VPN servers and political speech all covered by DMCA-ignored?
Yes — these are exactly the use-cases the policy is designed around. Tor exit operators receive an enormous volume of templated takedown notices for traffic they had no role in (the relay merely forwards bytes); VPN operators see similar volume for their egress IPs. We treat all of these as DMCA-class notices and decline to act. Political speech, journalism, whistleblower content, and dissident publishing all fall in the same bucket.
How does this compare to other offshore hosts (Njalla, FlokiNET, BuyVM, etc.)?
The legal posture is similar across reputable offshore providers — all of them are outside US jurisdiction and ignore DMCA notices in the same way. The differences are typically in operational specifics (which datacenters, which jurisdictions, which payment methods), in scale (we operate four datacenters; some competitors run just one), and in transparency (we publish the abuse posture, the corporate registration, and a weekly warrant canary at /canary/ — not all offshore providers do).
If I host illegal content, does DMCA-ignored protect me?
No, and intentionally so. "Illegal" depends on the jurisdiction your customer-facing content actually targets. CSAM is illegal everywhere and we remove it within hours of any credible report. Other content categories — adult-but-legal, political-but-controversial, copyrighted-but-fair-use — vary by jurisdiction and we lean toward keeping them up unless a court of competent jurisdiction orders otherwise. The /aup/ page is the boundary: read it before signing up.
Apply this

Workloads this guide applies to

Each card opens a workload-specific page with sizing recommendations and a sysadmin FAQ.

Tor relay & exit hosting

Tor relay

Self-hosted VPN server

VPN server

Self-hosted mail server

Mail server
Keep reading

Other guides

Companion reads that pick up where this one stops.

Decision aid Choosing a jurisdiction: Iceland, Netherlands, Romania, Switzerland

Choosing a jurisdiction: Iceland, Netherlands, Romania, Switzerland

A direct comparison of our four offshore locations on the dimensions that actually matter — DMCA tolerance, data retention law, peering reach, latency, and price.

8 min read Read guide
Payment guide Paying for a server in any cryptocurrency: how it actually works

Paying for a server in any cryptocurrency: how it actually works

A walk-through of the checkout from the customer side: pick any of 13 coins, get a deposit address at a locked rate, the server provisions on first confirmation. No KYC, no account linking, no fiat rail.

7 min read Read guide
Payment guide Bitcoin vs Monero for paying your hosting bill: which one to use, and why

Bitcoin vs Monero for paying your hosting bill: which one to use, and why

A practical comparison of paying for offshore hosting in Bitcoin vs Monero — fees, settlement time, on-chain traceability, exchange routes, and which one fits your threat model.

9 min read Read guide

Read enough? Deploy in 60 seconds

No email verification, no ID, no account. Pick a plan, pay in any cryptocurrency, get root.

Launch a server Browse workloads