How it works
FlokiNET is an offshore hosting company set up in Reykjavik in 2012. It sells shared hosting, virtual servers, dedicated boxes, GPU servers, colocation and domain names, with infrastructure across Iceland, Romania, the Netherlands and Finland; Norway, Canada and Singapore are listed as coming. Signup needs nothing but a working email address. Billing accepts Bitcoin, Monero, Lightning, Ethereum, Litecoin, Dash, paysafecard, PayPal, bank transfer and — unusually — cash by post. The billing portal, the marketing site and the blog all expose .onion addresses, and an additional I2P endpoint is published for clients who want it. The company also ships preconfigured stacks for SecureDrop, GlobaLeaks and Matrix, aimed squarely at journalists, NGOs and whistleblower projects.
KYC & privacy
At the standard signup, FlokiNET collects an email address and the alias the customer chooses to use. There is no government ID step, no phone number, no postal address. The privacy aggregator kycnot.me classifies the operator at KYC Level 2 — no routine KYC, but the company can ask for documents or freeze an account under a valid court order or an internal risk decision. Some customers have reported that higher-risk services have triggered requests for notarised papers; this is a documented friction, not a hidden one. The website's privacy policy honours GDPR data-deletion rights, but there is no plain no-logs pledge on the page, which is the honest version of what an Icelandic host can promise.
Strengths and limits
Two things make FlokiNET unusual. First, the operating record: thirteen years of continuous service with no public seizure, no exit scam, no published breach. Second, the receipts. In January 2023 the company received a cease-and-desist from Cellebrite over the EnlaceHacktivista mirror; FlokiNET refused to take the site down, cited EU Directive 2019/1937 protecting whistleblowers, and published the entire correspondence on its blog. That is a rare data point — most hosts settle silently. On the technical side, every VPS plan ships with 1 Tbps+ network-level DDoS mitigation as standard, not as a paid upsell. The limits are familiar for the category: no third-party security audit on the website, closed-source internal tooling, and a firm no-refund policy that the operator is at least upfront about.
Verdict
FlokiNET is what offshore privacy hosting looks like once the marketing is stripped: a 2012 Icelandic operator with data centres in four jurisdictions, a published refusal letter to Cellebrite, and a payment menu that includes envelopes of cash. The lack of a formal audit is a real gap, and casual customers should expect the occasional notarised-document request. For journalists, NGOs and projects that need a host willing to argue back, the trade-offs are worth it. Grade: B (7.7/10). Trust: TRUSTED.
FlokiNET is what offshore privacy hosting looks like once the marketing is stripped: a 2012 Icelandic operator with data centres in four jurisdictions, a published refusal letter to Cellebrite, and a payment menu that includes envelopes of cash. The lack of a formal audit is a real gap, and casual customers should expect the occasional notarised-document request. Grade: B (7.7/10). Trust: TRUSTED.
