The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has levied sanctions against Russia-based bulletproof hosting (BPH) service provider Aeza Group to assist threat actors in their malicious activities and targeting victims in the country and across the world.
The sanctions also extend to its subsidiaries Aeza International Ltd., the U.K. branch of Aeza Group, as well as Aeza Logistic LLC, Cloud Solutions LLC, and four individuals linked to the company –
- Arsenii Aleksandrovich Penzev, CEO and 33% owner of Aeza Group
- Yurii Meruzhanovich Bozoyan, general director and 33% owner of Aeza Group
- Vladimir Vyacheslavovich Gast, technical director who works closely with Penzev and Bozoyan
- Igor Anatolyevich Knyazev, 33% owner of Aeza Group who manages the operations in the absence of Penzev and Bozoyan
It’s worth noting that Penzev was arrested in early April 2025 on charges of leading a criminal organization and enabling large-scale drug trafficking by hosting BlackSprut, an illicit drugs marketplace on the dark web. Bozoyan and two other Aeza employees, Maxim Orel and Tatyana Zubova, were also detained.
“Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.
“Treasury, in close coordination with the U.K. and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem.”
BPH services have been godsend for threat actors as they are known to deliberately ignore abuse reports and law enforcement takedown requests, often operating in countries with weak enforcement or intentionally vague legal standards. This makes them a resilient option for attackers to host their malicious infrastructure, including phishing sites, command-and-control (C2) servers, without disruption or consequences.
Headquartered in St. Petersburg, Aeza Group is accused of leasing its services to various ransomware and information stealer families, such as BianLian, RedLine, Meduza, and Lumma, some of which have been used to target U.S. defense industrial base and technology companies and other victims worldwide.
What’s more, a report published by Correctiv and Qurium last July detailed the use of Aeza’s infrastructure by the pro-Russian influence operation dubbed Doppelganger. Another threat actor that has availed the services of Aeza is Void Rabisu, the Russia-aligned threat actor behind RomCom RAT.
The development comes nearly five months after the Treasury sanctioned another Russia-based BPH service provider named Zservers for facilitating ransomware attacks, such as those orchestrated by the LockBit group.
Last week, Qurium also linked a Russian web hosting and proxy provider named Biterika to distributed denial-of-service (DDoS) attacks against two Russian independent media outlets IStories and Verstka.
These sanctions form part of a broader effort to dismantle the ransomware supply chain by targeting critical enablers like malicious hosting, command-and-control servers, and dark web infrastructure. As threat actors shift tactics, monitoring sanctioned entities, IP reputation scores, and abuse-resilient networks is becoming central to modern threat intelligence operations.
