Russia’s propaganda campaign targeting Americans was hosted, at least in part, on American soil.

A company owned by a man on Staten Island, New York, provided internet infrastructure services to DoNotShoot.Us, a Kremlin propaganda site that pretended to be a voice for victims of police shootings, a Daily Beast investigation has found.

Every website needs to be “hosted”—given an Internet Protocol address and space on a physical computer—in order to be publicly viewed. DoNotShoot.Us is a website run out of the Kremlin-backed “Russian troll farm,” according to two sources familiar with the website, both of whom independently identified it to The Daily Beast as a Russian propaganda account. It was hosted on a server with the IP address 107.181.161.172.

That IP address was owned by Greenfloid LLC, a company registered to New Yorker Sergey Kashyrin and two others. Other Russian propaganda sites, like BlackMattersUs.com, were also hosted on servers with IP addresses owned by Greenfloid. The company’s ties to Russian propaganda sites were first reported by ThinkProgress.

The web services company owns under 250 IP addresses, some of which resolve to Russian propaganda sites and other fake news operations. Others are sites that could not be hosted at other providers, like “xxxrape.net.” There’s also a Russian trinket site called “soviet-power.com.” (The IP address that pointed to DoNotShoot.Us now resolves to a botnet and phishing operation, and is currently owned by Total Server Solutions LLC.)

The use of a tiny, no-questions-asked hosting company run by a man living in New York shows the Kremlin-backed troll farm’s brazen use of Americans and American companies to conduct its disinformation campaign.

Over the past two months, Russia’s efforts to integrate Americans and U.S. communities into its vast propaganda campaigns has become clearer, as social media companies began shuttering accounts originating from Russia’s Internet Research Agency, or troll farm.

In September, The Daily Beast discovered that one of the troll accounts, “Being Patriotic,” organized 17 in-person rallies for Donald Trump on one day in Florida alone. Last week, BuzzFeed reported that unwitting Americans were used to amplify Russian social media accounts pretending to be a Black Lives Matter offshoot.

Now, it appears Russia’s influence campaign attempted to host that campaign within the United States.

DoNotShoot.Us purported to be a collection of stories about “outrageous police misconducts [sic], really valuable ones, but underrepresented by mass media” in an effort to to “improve the situation in the U.S.”

The site served as a de facto database of shootings by police across the U.S, with each entry accompanied by anti-police invective. (An entry for the assault of a man named Ross Flynn lists the “reported reason” for the incident as “resisting and evading arrest”—and the “real reason” as “cops don’t treat detained people as humans.”)

The site also features a list of petitions (No. 2 on the most popular list: “Stop Police Violence Against Pit Bulls, Justice For Mr. Brown”) and an archive of graphic videos that have since been pulled from the web.

Greenfloid also hosted BlackMattersUs.com and other sites designed to impersonate African-American activists that have been identified as Russian troll accounts by independent Russian news agency RBC. BlackMattersUs.com claimed it was a “nonprofit news outlet” for the “African-American community in America,” but often used its page to smear Hillary Clinton and push Kremlin talking points.

While hosted in America, content for the sites was generated by paid staffers in St. Petersburg.

Former FBI agent Clint Watts, an expert on Russia’s propaganda campaign, said the Kremlin’s use of an American host is true to form.

“All of these placements are designed to create anonymity around the source and make it look authentic—like there’s real, grassroots support around the world for these interests,” Watts told The Daily Beast.

“You don’t want these to trace back to Russia, so you pick a believable community closest to your target. It’s not necessarily that they’re directed Russian agents, but they can go through Russian communities—witting or unwitting—outside of Russia.”

Quiet Neighborhood, Nasty Material

Sergey Kashyrin now lives in a quiet Staten Island neighborhood of bungalows, semi-detached homes, and cracked sidewalks just a few blocks from Midland beach. It is still reeling from the devastation of Hurricane Sandy. When a reporter visited Monday morning, Kashyrin’s street was blocked off by road work signs and mud-caked tire tracks traced the roads. On nearly every block, construction crews were still at work repairing boarded up homes amid tall marsh grasses towering in overgrown yards.

In business filings, Kashyrin and the two other registrants of Greenfloid LLC all gave their address as a well-kept beige semi-detached house in the middle of a quiet block. It has a lush and green backyard, with a greenhouse and coop, and tall plants that peek out of the front-facing windows. The house, if not the block, seems to have avoided much of the devastation; across the street are wild lots where other homes once stood. Kashyrin wasn’t home, and a woman suggested a reporter call him.

Reached by phone, Kashyrin gave a string of answers, many of them contradictory. He initially said he didn’t want to talk about Greenfloid LLC. Then he said he was available to talk, and said that Greenfloid is part of the fight against Russian propaganda—nevermind the fact that his company hosted it.

Kashyrin next pivoted to say his service didn’t consciously provide hosting to the Russian trolls—despite evidence to the contrary—but instead unknowingly rented them virtual servers that they used to funnel traffic to a different hosting company in Russia. He declined to name the company. “We were not hosting those websites. The guys bought virtual servers, and they put the proxy,” Kashyrin said. “It just redirected to the original site in Russia.”

Such an arrangement would have the same effect as hosting, while slowing the troll websites and consuming needless bandwidth. But it’s conceivable the Russians used such a scheme to make it easier to quickly relocate the sites without having to copy their contents. It’s largely a distinction without a difference—Kashyrin’s firm was still serving the Russian propaganda through its servers and internet, even if the images and text were ultimately held in Russia as Kashyrin claims.

When asked why the company hosts so many fake news sites, often angled toward Russian interests, Kashyrin said that there are likely simply many customers “from there who are doing that.”

‘It’s Funny, Having Russian Propaganda’

One thing that’s clear, however: Greenfloid is more than just a stand-alone firm. Greenfloid is listed on the site of its Kharkiv, Ukraine-based parent company ITL as its North American division, and a number listed for Greenfloid dials into a Russian-language menu for ITL.

This isn’t the first time ITL has been called out over allegations its servers were used to host sites run by the Russian troll factory. It also hosted the website Whoiswhos.me, which revealed the identities and personal information of Russian opposition bloggers.

A number of Russian bloggers and activists had their names, photos, and personal information revealed on WhoisWhos. At least seven of them were physically assaulted, and some had their cars burned, the Russian news site Fontanka said in June 2016.

ITL was alerted and the site was taken offline, Fontanka reported. (Kashyrin said it was around the same time that Greenfloid banned proxies, disassociating itself from the two Russian sites. He declined to provide a link to the proxy ban policy because “it’s too late today.”) ITL also took down a separate news site, registered at the same time as WhoisWhos, that reported on the Russian-backed war in Ukraine from a pro-Russian perspective. Fontanka said its investigation strongly suggested the sites were linked to the Russian troll factory because of the similarities, in style and content, to sites run by the group.

Russian hackers are also apparently happy with ITL’s service. On one popular Russian crime forum, a user wrote that ITL’s support team “does not ask anything,” and that users can pay in anonymous Bitcoin currency.

All the companies link back to Dmitry Deineka, a Ukrainian national who lives in the country’s second-largest city, Kharkiv.

“I’m sorry, but we don’t give out information about our clients, that violates the NDA and company rules,” Deineka wrote to The Daily Beast by email. He denied that a “Russian troll factory” was among their clients.

Kashyrin added that intellectuals in Kharkiv, especially the IT crowd, dislike Putin and would not support his agenda.

“We never support Russian propaganda, because the headquarters of our company is in Ukraine,” he added.

But the explanation is hardly iron-clad. Residents of Kharkiv are predominantly Russian-speaking, and the city has been symbolically important to the Russian-backed separatist movement.

So Kashyrin pivoted again.

“It’s fun[ny], having Russian propaganda using Ukrainian company,” Kashyrin said, despite his claim moments earlier that he would never host Moscow’s agitprop. “It might be the reason these guys choose our company as the provider.”

ITL, an acronym that has different meanings including Integrated Technology Laboratory, is also registered as an LLC in Las Vegas, Nevada.

In emails to The Daily Beast, Deineka compared his company’s services to those of Amazon, “only much smaller,” and said he couldn’t confirm whether it was used to host BlackMattersUS or DoNotShoot.Us even if he wanted to.

Deineka reiterated that he does not have the troll factory or its aliases listed among his clients. “If that name was in a client’s profile, we would have immediately denied him services,” Deineka said.

“Let me try to explain the technical question,” Deineka wrote. “We are not hosting providers who put sites up. We provide VDS (virtual dedicated server) services and can’t check, without interrupting our client’s server operations, what the user does.

“The user can host sites, can use the VDS as a proxy-server, and so on,” Deineka added. “We’re like Amazon WS (Web Services), only significantly smaller. We rent servers, we don’t host sites.”

Amazon Web Services does, in fact, allow customers to host websites, and ITL’s website says it offers “convenient and fast hosting for sites.”

‘Now I’ve Got My Face Plastered on the Site!’

BlackMattersUs.com, which was hosted by Greenfloid, was revealed to be a Russian troll site earlier this month by the independent Russian news organization RBC. It sometimes posted content supplied by social media followers like Porsche Kelly, a poet who emailed them her poem after following BlackMattersUS on Instagram.

She was surprised when told by a reporter last week that the site was operated by Russian trolls. An editor had promptly responded to her email, saying the site was always happy to share “thoughtful and powerful messages.”

“And now I’ve got my face plastered on the site!” Kelly said.

Facebook, Linkedin, and Twitter have suspended social media pages related to the site.

But Greenfloid’s business continues. The most popular sites hosted by the companies are two MP3 downloading destinations and Bible.ru, which is a link to annotated bibles in Russian.

—with additional reporting by Joseph Cox