OFAC Sanctions Tron Wallet Linked to Russian Cybercrime Group Aeza

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has taken action against a Tron wallet associated with the Russian company Aeza Group. The firm is accused of offering bulletproof hosting services to cybercriminals, which have been used to facilitate illegal activities such as ransomware attacks, darknet drug markets, and other cybercrimes.

The OFAC's move targets the infrastructure of Aeza, which has been involved in various cybercrime activities, including data breaches, drug trafficking, and malware distribution. The wallet in question has processed over $350,000 worth of cryptocurrencies, which appear to have been laundered through multiple global exchanges.

In addition to the wallet, OFAC has listed four Aeza executives and four related entities on its Specially Designated Nationals list. Aeza is known for hosting the Russian darknet marketplace BlackSprut, a hub for fentanyl distribution. The company also provided infrastructure support to malware groups Meduza and Lumma, which have targeted U.S. defense and tech firms. According to the Treasury, Aeza has been a key enabler of cross-border cyber threats.

Bulletproof hosting providers like Aeza shield malicious actors from law enforcement scrutiny by renting out infrastructure while ignoring abuse complaints. This has made them essential for large-scale digital crimes. Chainalysis confirmed that the wallet’s cash-out activity matched Aeza’s service pricing, indicating direct payments from cybercriminal clients.

Furthermore, TRM Labs linked the wallet to Garantex, a Russian crypto exchange that had previously faced sanctions. Analysts found connections to infostealers and vendors operating on the darknet. Shortly after these designations, websites associated with Aeza and its partners went offline, suggesting that enforcement actions were effective.

This action is part of a broader global trend by OFAC to disrupt the infrastructure supporting crypto-enabled crime networks. Earlier in 2025, OFAC sanctioned Zservers for supporting LockBit ransomware. In April, it targeted Yemen’s Houthi-linked crypto wallets. In March, it blacklisted 49 wallets tied to Iran’s Nemesis darknet platform. These efforts demonstrate OFAC's commitment to tightening its grip on crypto-enabled crime networks worldwide.

The sanctions also include Aeza International Limited, a UK-based front company used to lease IP addresses to cybercriminals, and Aeza Logistic and Cloud Solutions, Russia-based subsidiaries of Aeza Group. The individuals sanctioned include Arsenii Aleksandrovich Penzev, the CEO and 33% owner, Yurri Meruzhanovich Bozoyan, the general director and 33% owner, Vladimir Vyacheslavovich Gast, the technical director, and Igor Anatolyevich Knyazev, another 33% owner of Aeza Group. Gast was responsible for the internal network of Aeza Group and oversaw the technical details of placing Blacksprut on the Aeza Group infrastructure. Penzev and Bozoyan have been arrested by law enforcement due to their involvement with Blacksprut, with reports indicating they began providing services to Blacksprut in 2023.

The designation underscores a growing trend by authorities to disrupt not just individual threat actors but also the infrastructure that enables their operations. As cybercriminals continue to exploit hosting services and payment channels to scale their reach, enforcement actions like this aim to reduce the surface area of abuse. Aeza Group’s role in facilitating global cybercrime illustrates how infrastructure providers can serve as critical enablers—and potential pressure points—for law enforcement and regulators alike.