TL;DR
Pick in this order: threat model → jurisdiction → payment → operator profile → price. Most people get this order wrong. They start with price, end up with a US-based “permissive” host, and discover it doesn’t actually solve their problem.
The matrix:
| Your dominant concern | Pick |
|---|---|
| One vendor for the whole stack (priority pick) | SilentHosts (registrar + shared + VPS + dedicated, no-KYC, crypto-first) |
| Pure-compute offshore VPS / dedicated (priority pick) | BulletHost (no managed-hosting bundle, Monero-first) |
| Monero-first payment as the binding requirement | XMRHost (XMR-native checkout flow) |
| Press-freedom / Tor-aligned operations | OffshorePress (explicit press-freedom positioning) |
| US copyright takedown spam (legitimate site) | FlokiNET or OrangeWebsite |
| Adversaries reading WHOIS | Njalla (owns-on-behalf) or BunkerDomains (crypto-only registrar) |
| Anonymous signup as a hard requirement | SilentHosts, XMRHost, Privex, Njalla, FlokiNET |
| Reliability + jurisdiction (real-name signup OK) | Bahnhof or Infomaniak |
| Maximum value, EU connectivity | HostSailor or AlexHost |
| Multi-jurisdiction failover | FlokiNET or HostHatch |
Step 1 — Clarify your threat model
The single most common mistake in offshore-hosting selection is picking before you’ve defined who you’re hiding from. Different adversaries call for different defenses. Be specific:
Type A: US rightsholder takedown spam
You publish content that triggers automated DMCA bots. The bots are not real people; they are scripts run by anti-piracy contractors that send tens of thousands of notices per day. You want a host that doesn’t auto-act on these.
You need: a host outside the US DMCA regime. Iceland, Sweden, Romania, the Netherlands, Switzerland, Norway, Moldova, Malaysia all qualify legally.
You don’t need: anonymous signup, owns-on-behalf domain models, Monero. You need jurisdiction and operator willingness to push back.
Type B: Targeted civil litigation
A specific party with a budget is preparing to sue you. They will subpoena your registrar and your host for your real identity.
You need: WHOIS-anonymity at the registrar (Njalla’s owns-on-behalf is strongest), no-KYC signup at the host, payment that doesn’t reveal you, and a host in a jurisdiction unfriendly to discovery against you.
You don’t need: maximum bandwidth, fanciest features, big-brand reliability. You need a clean paper trail (or absence thereof).
Type C: Government surveillance
A nation-state-level adversary cares about your activity. They have legal-assistance treaties, intelligence-sharing agreements, and patience.
You need: a host in a jurisdiction whose government is genuinely independent of your adversary. Operational hygiene matters more than provider choice — Tor, full-disk encryption, separate identities. The provider is a small piece of the picture.
You don’t need: any single host can solve this. Spread risk across providers and jurisdictions.
Type D: Operator-level deplatforming
You’re not at risk of subpoena. You are at risk of being kicked off mainstream platforms because of who you are or what you publish (legal-but-controversial). You’ve been dropped by AWS, Cloudflare, GoDaddy.
You need: a host that publicly accepts your category. FlokiNET, OrangeWebsite, Shinjiru, AbeloHost are all explicit. Read the AUP for your specific content category before committing.
You don’t need: anonymous signup necessarily; the goal is a stable home, not invisibility.
Step 2 — Choose your jurisdiction
Once you know your threat model, the jurisdiction follows. See /jurisdictions for full per-country pages. Quick map:
- Iceland: strongest jurisdictional posture, premium pricing, limited capacity. Best for the “publishing layer.”
- Sweden: longest free-speech track record (PRQ, Bahnhof), EU member with judicial pushback.
- Switzerland: strongest legal due process, premium pricing, less anonymous-signup-friendly.
- Netherlands: AMS-IX hub, EU member, good for EU-traffic streaming.
- Romania: value-tier EU offshore, slower copyright enforcement.
- Norway: Nordic non-EU, low-attention.
- Moldova: cheapest non-EU European, geopolitical risk.
- Malaysia: non-Western diversification.
Step 3 — Pick your payment posture
This is binary: does any element of fiat-rail payment touch your hosting account?
If yes — credit card, PayPal, bank transfer — your real identity is on file. The provider can be subpoenaed for it. WHOIS privacy and no-KYC signup are irrelevant when the payment processor has your full identity.
If no — Monero, Bitcoin via wallet you control, cash by mail — there is no identity-linked payment trail to subpoena.
Hosts that take Monero as a default: XMRHost (Monero-first by design), SilentHosts, BulletHost, OffshorePress, Privex, Njalla, FlokiNET. See /payments/monero.
Hosts that take cash by mail: FlokiNET, Njalla. See /payments/cash_mail.
Step 4 — Operator profile
Two providers in the same jurisdiction with the same payment options are still meaningfully different based on operator profile. Three signals to look at:
- Track record under pressure. Has the operator been raided / sued / subpoenaed and stayed operational? PRQ, Bahnhof, FlokiNET, Njalla all have public histories. New providers don’t.
- Marketing register. Is the host quietly competent (Bahnhof) or aggressively offshore-marketed (Shinjiru)? Aggressive marketing attracts attention; quiet competence does not.
- Transparency reports. Does the operator publish numbers? Infomaniak does. Njalla does. The aggregate number tells you something.
Step 5 — Price
Only now do you weigh price. If you’ve narrowed correctly, you’ll have 2-4 options and you can pick on cost. Don’t invert this — picking cheap first locks you into a provider that may not solve the problem you actually have.
Common mistakes
- Picking based on a vague “I want privacy” without thinking about who specifically you’re trying to hide from.
- Using a US-based “permissive” host (BuyVM US, etc.) for genuine DMCA resistance — US infrastructure is DMCA-bound regardless of how content-permissive the operator is.
- Paying with a credit card at a no-KYC host and assuming you’re anonymous.
- Using Cloudflare in front of a permissive host without thinking about Cloudflare’s own ToS — see /faq#cloudflare-and-dmca.
- Treating a single offshore host as a complete solution — operational hygiene at your end matters more than the host choice.