Besides proxying to try to mask their activities, wouldn’t those playing host to bad actors have to have some insight or notice some abnormal activity that might give away that someone may be abusing their services?
Or is it that there’s a mix of a financial & legal advantage to remaining as ignorant to that activity as possible for as long as possible up till push comes to shove & they’re being served a warrant?
Yeah, it depends on what you mean.
In many cases malware and phishing is hosted off other compromised sites. So, they build a list of Wordpress sites with vulnerabilities, and use the vulnerabilities to host their files on them. For example, imagine “legitimate-medical-site.net.com” is a real site. The attacker will use the exploit to upload malicious files in there somewhere like “legitimate-medical-site. net. com/qwertasdf/invoice.pdf”.
If the site gets blocked or shutdown it’s no loss to them.
Another technique, especially phishing wise, they will have a semi-plausible domain name (e.g. youbank-security-server .con). But they will register heaps of these. There are tonnes of top level domains that do next to no checking. These things cost a few bucks, so having it taken down is not a problem.
The combination of burner sites and domains mean they have a window of opportunity to run their attacks and scams before other protections kick in.