Despite what some researchers may think about domestic PCs, the logic for the RBN has to base these operations within accessible hosts. Also from inside any server it is much easier to use "Man-in-the-Middle" (MITM) techniques to exploit neighboring web sites and for personal ID theft. Where better than within a low cost US host that only cares about the credit card used for not what the web site does, and you have over 1 million web sites and their users to prey on?
So here is the "good news" - the RBN have moved some key domains as of today, and luckily every time they do this it reveals more of their bases. Below is just a sample of many, if you put them on the outside of the major hosting hubs, you will starve the main body.
"The Enemy Within the Gates" - all "within" major US hosts, also note every one has fictitious domain registrants and is breaking the TOS (terms of service) for hosting:
iframecash com = 18.104.22.168 = Hiding within Cogent Communications (DC, US) moved back onshore to the US from Aki Mon Telecom
iframecash net = 22.214.171.124 = Hiding within Net Access Corporation (NJ, US) - along with many (what look like) bank phishing domains
anonymous-service (dot) com = 126.96.36.199 = within ThePlanet com (US) & proxy registered via Global Net Access (US) - also key domains
adulthosting (dot) ru, aspmedia (dot) net, sexbomba (dot) ru. webmoney-hosting (dot) net
76service com = 188.8.131.52 = still within Noc4hosts Inc (FL, US) and proxy registered via Global Net Access - also key domains:
firstoceanicbank (dot) net, gamesboard (dot) ru, hydrometeocenter (dot) net, newpulses (dot) com, odeku (dot) net, putany (dot) net, sosnovsky (dot) net
If we can persuade these major US hosts / servers to act voluntarily and quickly, as we did with Layered Technologies (iframe cash com) then at least we could prevent a great deal of web site exploits from "within" the major US hosting servers.
Just to re-emphasize listed above provides RBN direct access to over 1 million web sites and their users.