On July 2, 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on Aeza Group, a Russia-based bulletproof hosting (BPH) service provider, for facilitating cybercriminal activities, including ransomware attacks and illicit drug trafficking. These sanctions also target Aeza Group’s subsidiaries—Aeza International Ltd. in the U.K., Aeza Logistic LLC, and Cloud Solutions LLC—as well as four individuals associated with the company:
– Arsenii Aleksandrovich Penzev: CEO and 33% owner of Aeza Group.
– Yurii Meruzhanovich Bozoyan: General Director and 33% owner.
– Vladimir Vyacheslavovich Gast: Technical Director working closely with Penzev and Bozoyan.
– Igor Anatolyevich Knyazev: 33% owner managing operations in the absence of Penzev and Bozoyan.
In April 2025, Penzev was arrested on charges of leading a criminal organization and facilitating large-scale drug trafficking by hosting BlackSprut, a dark web marketplace for illicit drugs. Bozoyan and two other Aeza employees, Maxim Orel and Tatyana Zubova, were also detained.
Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, Bradley T. Smith, stated, Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs. He emphasized the commitment to exposing the infrastructure and individuals underpinning this criminal ecosystem.
Bulletproof hosting services like those offered by Aeza Group are known for deliberately ignoring abuse reports and law enforcement takedown requests, often operating in jurisdictions with weak enforcement or intentionally vague legal standards. This resilience makes them attractive to cybercriminals for hosting malicious infrastructure, including phishing sites and command-and-control (C2) servers.
Headquartered in St. Petersburg, Aeza Group has been accused of providing services to various ransomware and information stealer families, such as BianLian, RedLine, Meduza, and Lumma. These tools have targeted U.S. defense industrial base and technology companies, among other victims worldwide.
Additionally, a report by Correctiv and Qurium in July 2024 detailed the use of Aeza’s infrastructure by the pro-Russian influence operation known as Doppelganger. Another threat actor utilizing Aeza’s services is Void Rabisu, the Russia-aligned group behind RomCom RAT.
This action follows the Treasury’s February 2025 sanctions against another Russian BPH provider, Zservers, for facilitating ransomware attacks by groups like LockBit. These sanctions are part of a broader effort to dismantle the ransomware supply chain by targeting critical enablers such as malicious hosting services, C2 servers, and dark web infrastructure.
As cybercriminals adapt their tactics, monitoring sanctioned entities, IP reputation scores, and abuse-resilient networks has become central to modern threat intelligence operations.
