Anonymous VPS hosting starts with jurisdiction
Rent a server and the host usually gets your IP, payment method, and account email. In many places it must keep that data and hand it over when ordered. Jurisdiction decides how hard the host gets pushed, how fast it complies, and whether it fights back at all. Iceland, Romania, and Nevis do not behave like the US or UK. Pay with a traceable card in the wrong place and the rest of your privacy work starts rotting.
- Pay with Monero. It leaves no fiat trail. Bitcoin stays traceable. Card payment gives your identity away directly.
- Iceland and Nevis give the strongest legal resistance. Romania has useful court precedents. Avoid the US, UK, Canada, Australia, and New Zealand for sensitive hosting.
- After provisioning, disable password auth, use SSH keys, turn on UFW, install fail2ban, and skip cPanel. Panels widen the attack surface.
Jurisdiction decides the fight
A VPS provider in the United States can receive a National Security Letter, a secret administrative demand with a gag order attached. The company cannot tell you. A UK provider lives under the Investigatory Powers Act, which also grants broad compelled-access powers. Five Eyes states, the US, UK, Canada, Australia, and New Zealand, share intelligence and extend pressure through mutual legal assistance treaties.
Iceland gives the strongest ground for press-freedom hosting. The International Modern Media Institute framework, passed in 2010, built unusually strong source protection into Icelandic law. Icelandic courts have resisted foreign subpoenas, and local providers have a record of pushing back on US and UK takedown demands. 1984 Hosting named itself after Orwell on purpose. No ambiguity there.
Romania sits inside the EU but has useful court precedents against overreach. FlokiNET Romania has resisted takedown requests and runs under a press-freedom policy aimed at journalists and human-rights groups. FlokiNET also offers Iceland nodes, so you can choose the harder jurisdiction.
Nevis, in Saint Kitts and Nevis, has no extradition treaty with many countries and keeps strict financial secrecy laws. Njalla is registered there. Peter Sunde's involvement tells you the posture in plain words: build for resistance, not convenience.
Provider comparison
| Provider | Jurisdiction | Accepts XMR | TorThe Tor network uses onion routing to obscure IP addresses and browsing paths by relaying traffic through multiple volunteer-run nodes.Glossary → Access | Price/mo |
|---|---|---|---|---|
| 1984 Hosting | Iceland | No (BTC / card) | Yes | ~$3 |
| FlokiNET | Romania / Iceland | Yes | Yes | ~$5 |
| Njalla | Nevis (Caribbean) | Yes | Yes | ~$8 |
| IncogNET | United States | Yes | Yes | ~$4 |
1984 Hosting runs from Reykjavik and started in 2006. Entry VPS plans start around $3 per month. They take Bitcoin and cards, not Monero directly, so you need a no-KYC BTC source or an XMR to BTC swap. Of the four hosts here, Iceland gives them the strongest legal footing.
FlokiNET operates in Romania and Iceland and accepts XMR natively. That makes it the easiest option if you already use Monero. It states its press-freedom policy plainly and has resisted takedown attempts. If jurisdiction matters most, pick the Iceland node. Entry pricing starts around $5 per month.
Njalla is registered in Nevis and better known for anonymous domains, but it also sells VPS plans from about $8 per month. It takes XMR. The Caribbean jurisdiction sits outside EU data retention rules and outside many extradition arrangements. Pairing a Njalla domain with a Njalla VPS cuts down the number of parties that know anything about you.
IncogNET is US-based, accepts XMR, and claims a no-log policyA claim by a VPN or service that it does not retain activity, connection, or identifying records that could later be handed to third parties.Glossary →. The US remains a weak jurisdiction for hostile legal pressure, so this is not the choice for your sharpest threat model. For lower-sensitivity hosting, it can still work.
Monero is the payment method that fits the job
Monero fits anonymous VPS provisioning. Bitcoin does not. Bitcoin is pseudonymous and every transaction sits forever on a public ledger. Chain-analysis firms can trace BTC from a KYC exchange to a hosting invoice. Monero hides sender, receiver, and amount by default through ring signatures, stealth addresses, and RingCT.
One practical detail gets skipped in most guides. Most hosts wait for 10 confirmations before they credit XMR. With block times around two minutes, expect roughly 20 minutes before the server appears. Send the payment and wait. Instant gratification is not part of this stack.
Get no-KYC XMR
Use Haveno DEX, which is peer to peer and asks for no account, or Trocador for an instant swap from BTC or ETH. A cash-friendly Bitcoin ATM plus a later swap to XMR can also work. Do not buy XMR on a KYC exchange and send it straight to the host.
Create the host account over Tor
Open the provider through Tor Browser. Use a dedicated email alias from SimpleLogin or AnonAddy, created over Tor and used nowhere else. Do not create the account from your home IP. If the provider offers a .onion address, use it.
Send XMR and wait
The host gives you a one-time XMR address for the order. Send from Feather Wallet or Cake Wallet. Wait for 10 confirmations, about 20 minutes. After that, the account usually activates on its own. Anyone watching the chain still cannot read the transaction details.
Hardening the server matters as much as paying for it
Anonymous payment means very little if the server falls to weak defaults. Fresh images often ship with password auth on, no firewall, and services listening everywhere. For privacy-sensitive work, the next steps are not optional.
SSH keys. Kill password auth.
Generate a 4096-bit RSA or Ed25519 key pair locally. Add the public key to~/.ssh/authorized_keys on the server. In /etc/ssh/sshd_config, set PasswordAuthentication no and PermitRootLogin prohibit-password. Reload sshd. Password brute force stops here.
UFW firewall. Deny first.
Install UFW (apt install ufw). Set the defaults with ufw default deny incoming and ufw default allow outgoing. Allow SSH with ufw allow 22/tcp. If you run a web server, allow 80/tcp and 443/tcp. Then run ufw enable. Everything else stays shut.
fail2ban hits back at scanners
Install fail2ban (apt install fail2ban). The default setup bans IPs after five failed SSH attempts for 10 minutes. Push the ban time to at least an hour in /etc/fail2ban/jail.local. Fresh servers get probed within minutes. Let the bots smack into a wall.
No panel software
Do not install cPanel, Plesk, Webmin, or any browser-based server panel. Each one adds ports, web code, credentials, and its own list of CVEs. If the panel falls, the server falls. Use SSH. The annoyance is part of the protection.
Use a Tor hidden service for admin access
The server IP is its most exposed identifier. Even after anonymous payment and hardening, every SSH session from your machine reveals your IP to the server logs. Running SSH through a Tor hidden service removes that exposure. You connect to a .onion address, Tor routes the traffic end to end, and the server's public IP drops out of the admin path.
To configure SSH over Tor on the server, install Tor and add a hidden service pointing to port 22:
# /etc/tor/torrc HiddenServiceDir /var/lib/tor/ssh_hidden_service/ HiddenServicePort 22 127.0.0.1:22
Restart Tor. The .onion hostname appears in /var/lib/tor/ssh_hidden_service/hostname. To connect from your machine, route SSH through the local Tor SOCKS proxy:
ssh -o ProxyCommand='nc -x 127.0.0.1:9050 %h %p' \
user@youraddress.onionAfter that, admin access no longer needs the server's public IP. You do not need to whitelist your home IP in UFW. You can keep SSH closed to the public internet and open only through .onion.
What to avoid
- US, UK, AU, NZ, CA providers because Five Eyes pressure is routine, fast, and often secret. NSLs can even bar the provider from warning you.
- Shared IP control panels because cPanel, Plesk, and similar tools expose the server through a browser-facing port and extra auth layer. Panel bugs get servers popped.
- KYC exchanges for payment because buying XMR from Coinbase or Kraken still builds a fiat-to-XMR-to-hosting trail that subpoenas can reconstruct. Use Haveno or Trocador.
- NiceVPS because of documented disclosure and OPSEC problems.
- Registering from your home IP because even with XMR, the provider's access logs can still tie the account to your connection. Use Tor for the initial signup.
Follow the money in cloud hosting
The hosting market is an oligopoly. AWS, Azure, and Google Cloud control more than 65% of global cloud revenue, and all three run dedicated government business lines. No-KYC offshore hosting survives as a small market built to route around that machinery.
- AWS
- GovCloud $10B+ · CIA contract since 2013 · JWCC $9B DoD (2022) · FISA 702: US providers must comply with NSA orders
- Azure
- Government + sovereign cloud $21.7B (FY2024) · Azure Government Secret: classified workloads · FBI, NSA, 17 intel agencies on Azure
- Google Cloud
- DISA + DoD classified projects · $1B+ gov contracts (2024) · Google Workspace: CISA + DHS production tenants
- No-KYC offshore
- FlokiNET Iceland (IMMI framework, no US reach) · 1984 Hosting (XMR) · Private Layer Panama (no data retention law)
Information is provided for educational purposes. Always verify provider terms. Not financial advice. Affiliate disclosure.