The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on Russia-based bulletproof hosting (BPH) service provider Aeza Group for aiding threat actors in carrying out malicious activities targeting victims in the country and globally.
The sanctions also apply to its subsidiaries Aeza International Ltd., the U.K. branch of Aeza Group, as well as Aeza Logistic LLC, Cloud Solutions LLC, and four individuals associated with the company –
- Arsenii Aleksandrovich Penzev, CEO and 33% owner of Aeza Group
- Yurii Meruzhanovich Bozoyan, general director and 33% owner of Aeza Group
- Vladimir Vyacheslavovich Gast, technical director who collaborates closely with Penzev and Bozoyan
- Igor Anatolyevich Knyazev, 33% owner of Aeza Group responsible for managing operations in the absence of Penzev and Bozoyan
Penzev was arrested in early April 2025 on charges of leading a criminal organization and enabling large-scale drug trafficking by hosting BlackSprut, an illicit drugs marketplace on the dark web. Bozoyan and two other Aeza employees, Maxim Orel and Tatyana Zubova, were also apprehended.
“Cybercriminals heavily rely on BPH service providers like Aeza Group to execute disruptive ransomware attacks, steal U.S. technology, and trade black-market drugs,” stated Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.
“Treasury, in collaboration with the U.K. and other international partners, is committed to exposing the key nodes, infrastructure, and individuals supporting this criminal ecosystem.”
BPH services have been instrumental for threat actors as they often overlook abuse reports and law enforcement requests, operating in countries with lax enforcement or ambiguous legal standards. This makes them a resilient choice for attackers to host their malicious infrastructure, including phishing sites and command-and-control (C2) servers, without interruption or repercussions.
Based in St. Petersburg, Aeza Group is accused of providing its services to various ransomware and information stealer families, such as BianLian, RedLine, Meduza, and Lumma, some of which have targeted U.S. defense industrial base, technology companies, and other victims worldwide.
Furthermore, a report by Correctiv and Qurium last July highlighted the use of Aeza’s infrastructure by the pro-Russian influence operation named Doppelganger. Another threat actor leveraging Aeza’s services is Void Rabisu, the Russia-aligned threat actor responsible for RomCom RAT.
This development comes following the Treasury’s sanctions against another Russia-based BPH service provider named Zservers for facilitating ransomware attacks, including those orchestrated by the LockBit group.
Recently, Qurium also associated a Russian web hosting and proxy provider called Biterika with distributed denial-of-service (DDoS) attacks against two Russian independent media outlets IStories and Verstka.
These sanctions are part of a broader initiative to disrupt the ransomware supply chain by targeting key facilitators like malicious hosting, C2 servers, and dark web infrastructure. Monitoring sanctioned entities, IP reputation scores, and abuse-resistant networks is crucial for modern threat intelligence operations as threat actors evolve their tactics.
