Russian bulletproof hosting service Aeza Group sanctioned by US for ransomware work

A Russia-based company providing technical tools to ransomware gangs and digital drug dealers was sanctioned by the U.S. Treasury Department on Tuesday. 

Aeza Group is a bulletproof hosting (BPH) services provider, the department said, that allows cybercriminals to avoid law enforcement while renting IP addresses, servers and domains used for disseminating malware, supporting darknet markets and carrying out other tasks related to fraud and cyberattacks.

In addition to targeting Aeza Group, Treasury officials said they are sanctioning two affiliated companies and four individuals who are company leaders. CEO Arsenii Aleksandrovich Penzev was cited for his role in owning and running Aeza Group. Penzev has allegedly been involved in multiple bulletproof hosting and illicit drug marketplace businesses.

Multiple Aeza Group leaders were arrested in April by Russian authorities on suspicion of leading a criminal organization and involvement in large-scale drug trafficking.

“Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs,” said Bradley Smith, acting undersecretary of the Treasury for terrorism and financial intelligence.

Smith added that the sanctions were issued alongside officials in the U.K.’s National Crime Agency and other countries. The company’s website is currently down but it is registered as a legitimate business offering cybersecurity, web hosting and IT services.

“Treasury, in close coordination with the UK and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem,” he said. 

Aeza Group is based in St. Petersburg and has allegedly provided hosting services to ransomware gangs like BianLian and the operators behind infostealing malware like RedLine, Lumma and Meduza. The Treasury Department accused Aeza Group of helping hackers target U.S. defense companies and technology firms. 

The platform also helped BlackSprut, a long-running Russian darknet marketplace used to buy and sell illicit drugs, the Treasury said. 

Cybersecurity researchers have previously linked Aeza Group to the pro-Kremlin disinformation campaign known as Doppelgänger, which has been active in Europe since at least 2022. 

The subsidiaries facing sanctions include U.K.-based Aeza International as well as Aeza Logistic and Cloud Solutions. Alongside Penzev, general director Yurii Meruzhanovich Bozoyan, technical director Vladimir Vyacheslavovich Gast and part-owner Igor Anatolyevich Knyazev were all sanctioned. 

Bozoyan was arrested in Russia with Penzev for his role in helping organize BlackSprut. Knyazev has been running the sites while Penzev and Bozoyan deal with their charges, according to the Treasury.

Criminal infrastructure under fire 

The department said the action is part of a larger effort by U.S. law enforcement to shut down powerful tools used by organized cybercriminal gangs to perpetrate attacks. 

Russia is home to multiple bulletproof hosting providers that assist in cyberattacks, including one reportedly used to target a media organization recently in the country. 

In February, the Treasury Department partnered with officials in Australia and the U.K. to sanction another Russian bulletproof hosting service called Zservers as well as the Russian nationals behind the company.

A man suspected of owning a bulletproof hosting company was arrested in Spain last October amid a wider operation targeting one of the main members of the Evil Corp cybercrime group and a LockBit affiliate. 

Lolek Hosted was taken offline by law enforcement in 2023 and the U.S. Justice Department sentenced 39-year-old Mihai Ionut Paunescu to three years in federal prison for his role in helping run bulletproof hosting service PowerHost[.]ro.

Russian national Aleksandr Grichishkin was handed a five-year sentence in 2021 for founding and operating a bulletproof hosting company while Pavel Stassi, 30, of Estonia, and Aleksandr Shorodumov, 33, of Lithuania, were both sentenced to more than two years in prison for running a bulletproof hosting organization that helped launch attacks against U.S. targets between 2009 and 2015.