The U.S. government has imposed sanctions on Russian hosting firm Aeza Group and its top executives for allegedly providing safe harbor to ransomware gangs, malware operators, and darknet drug platforms.
Aeza Accused of Operating as a Bulletproof Hosting Provider
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Aeza Group, a Russia-based hosting provider, for allegedly supporting a wide range of cybercriminal operations. According to OFAC, Aeza offered bulletproof hosting services to ransomware actors, infostealer campaigns, darknet drug markets, and Russian disinformation networks.
Bulletproof hosting providers are notorious in the cybercrime ecosystem for intentionally ignoring abuse complaints, refusing to respond to takedown requests, and shielding malicious clients from law enforcement. These services make it possible for threat actors to run malware infrastructure with minimal risk of disruption.
Aeza’s infrastructure reportedly hosted operations for:
- BianLian ransomware, known for double-extortion tactics targeting critical sectors.
- RedLine infostealer panels, which are used to harvest credentials and sensitive user data.
- BlackSprut, a Russian darknet drug marketplace that OFAC says delivered illicit substances to customers in the U.S. and around the world.
Connections to Disinformation and Criminal Activities
Beyond its role in cybercrime hosting, Aeza has also been linked to Doppelgänger, a pro-Russian disinformation campaign. This operation cloned legitimate news outlets across the U.S. and Europe to spread propaganda aligned with Russian geopolitical narratives.
Russian media had earlier reported arrests of Aeza personnel in connection with illegal banking activity and hosting services for the BlackSprut marketplace. These arrests were reportedly carried out in April and involved company leadership.
Sanctions Target Aeza Leadership and Affiliated Entities
The OFAC sanctions extend beyond the company itself to its key executives and associated businesses. The following individuals have been named:
- Arsenii Aleksandrovich Penzev – CEO and 33% owner of Aeza Group
- Yurii Meruzhanovich Bozoyan – General Director and 33% owner
- Vladimir Vyacheslavovich Gast – Technical Director
- Igor Anatolyevich Knyazev – 33% owner and interim manager
Also sanctioned are Aeza’s affiliated companies: Aeza International Ltd., Aeza Logistic LLC, and Cloud Solutions LLC. All assets under U.S. jurisdiction belonging to these individuals and companies will be frozen, and U.S. entities are now barred from conducting any business with them.
“Aeza Group has repeatedly hosted and supported the operations of ransomware actors, infostealer operators, and darknet criminal platforms while ignoring takedown requests,” OFAC stated.
Continued Pressure on Cybercriminal Infrastructure
This latest enforcement action builds on earlier sanctions announced in February 2025, when the U.S. Treasury targeted ZServers and Xhost—two other bulletproof hosting providers linked to the LockBit ransomware group and other criminal syndicates.
The growing number of sanctions reflects the U.S. government’s strategic approach to dismantling the cybercrime-as-a-service supply chain. By focusing on infrastructure providers that make attacks scalable and repeatable, authorities aim to disrupt the broader ecosystem that enables ransomware and infostealer operations to thrive.
Infrastructure Resilience Now Critical for Enterprise Security
As sanctions target bulletproof hosts and malware ecosystems, the reality for enterprises remains unchanged—ransomware and infostealer campaigns continue to evolve. Organizations must not only defend against direct intrusion but also prepare to recover from unexpected outages, breaches, or data encryption events.
In this threat landscape, maintaining immutable, offline backup environments is crucial. Enterprises can no longer rely solely on endpoint detection; they must have a guaranteed recovery path even if attackers succeed.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
