Bromium researchers spotted scammers used Nevada data centers to distributed Dridex, GandCrab and other malware in a campaign that lasted between May 2018 to March 2019.

Typically, threat actors organize their operations outside of the reach of U.S. law enforcement but these made a bold statement using servers that could easily be seized and shut down by U.S. authorities.

Researchers also spotted Neutrino and IcedID malware being delivered on the servers in a campaign that included five banking trojan families, two ransomware families and three info stealing variants, according to an April 4 blog post.

The operation relied on 11 web servers hosted at BuyVM, a virtual private server company in Nevada and is estimated to have stolen millions from international banks.

“It was interesting to us that the hosting infrastructure is located in the United States and not in a jurisdiction that is known to be uncooperative with law enforcement,” researchers said in the post.

“One possible reason for choosing a U.S. hosting provider is so that the HTTP connections to download the malware from the web servers are more likely to succeed inside organisations that block traffic to and from countries that fall outside of their typical profile of network traffic,” they wrote.

Researchers said evidence suggests the malware targeted English-speaking audiences because the phishing emails and documents were all written in English and several of the lures were only relevant to a U.S. audience.