For probably much of cybercrime you don't pay for these servers. Many are usually security compromised servers that were put up for legit business and left some config file out in the open or some other silly mistake. In the case of phishing, they are hijacked and by the time anyone notices, enough emails have been sent to create a lot of damage for the good guys, and a decent profit for the bad guys.
As always, something will only be done to fix the unbearable lightness of committing a cybercrime when there is a realization that the price being paid for those that have the power make a difference outweighs their benefits.
Often people only notice their badly maintained website has been hijacked to host phishing pages under some subdirectory when their whole site ends up in Google’s safe browsing shitlist.
For probably much of cybercrime you don't pay for these servers. Many are usually security compromised servers that were put up for legit business and left some config file out in the open or some other silly mistake. In the case of phishing, they are hijacked and by the time anyone notices, enough emails have been sent to create a lot of damage for the good guys, and a decent profit for the bad guys.
As always, something will only be done to fix the unbearable lightness of committing a cybercrime when there is a realization that the price being paid for those that have the power make a difference outweighs their benefits.