US Sanctions Aeza Group for Facilitating Ransomware Operations

United States authorities have imposed sanctions on a cryptocurrency wallet linked to the Russia-based Aeza Group, which is accused of facilitating ransomware operations and darknet markets. The Treasury’s Office of Foreign Assets Control (OFAC) has designated the entire cyber infrastructure of Aeza Group, including its affiliated entities and four senior executives in leadership roles.

The group is alleged to have provided bulletproof hosting services, which allowed ransomware operators, malware distributors, and darknet vendors to evade detection and law enforcement, operating with impunity. The sanctions extend to Aeza International Ltd., a UK-based front company used to lease IP addresses to cybercriminals, as well as two Russia-based subsidiaries, Aeza Logistic LLC and Cloud Solutions LLC.

OFAC has also designated four senior executives, including CEO Arsenii Penzev and general director Yurii Bozoyan. Both executives were arrested by Russian law enforcement for their involvement in the darknet drug marketplace Blacksprut. Aeza’s infrastructure reportedly supported various cybercriminal groups, including Meduza and Lumma infostealer operators, BianLian ransomware, RedLine infostealer panels, and the now-defunct Blacksprut marketplace. These services enabled threat actors to steal sensitive data and siphon funds from global victims, including crypto users.

The designated crypto address, hosted on the Tron blockchain, was identified as an administrative wallet used to receive payments for Aeza’s services. Investigators found that the wallet processed over $350,000 in crypto and funneled payments through a third-party processor to obscure the financial trail and make tracing difficult. The wallet received direct payments from customers, including infostealer vendors, and routed illicit funds to various cryptocurrency exchanges.

Analysts observed that the payment patterns aligned with known pricing for Aeza’s hosting services, suggesting that infostealer vendors and other threat actors were likely among the group’s customers. Additionally, links were identified between the wallet and other cybercrime platforms through intermediary addresses, including connections to the sanctioned Russian crypto exchange Garantex.

Following the designation, websites linked to Aeza and its affiliates reportedly went offline. This action underscores a continuing trend of growing focus by authorities on disrupting not just individual threat actors, but also the infrastructure that enables their operations. Aeza Group’s role in facilitating global cybercrime illustrates how infrastructure providers can serve as critical enablers—and potential pressure points—for law enforcement and regulators alike.

Earlier this year, OFAC led a coordinated effort with the United Kingdom and Australia to sanction another Russia-based bulletproof hosting provider, Zservers, for offering infrastructure to the LockBit ransomware gang. Beyond infrastructure, OFAC has also been focused on dismantling crypto-based cybercrime financing. In April, the agency sanctioned eight crypto addresses used by Yemen’s Houthi movement to fund arms procurement and terrorist activities. Similarly, in March, OFAC blacklisted 49 crypto wallets tied to Nemesis, a darknet marketplace operated by an Iranian national. The site was involved in trafficking fentanyl and other synthetic drugs, processing nearly $30 million in sales using Bitcoin and Monero before its seizure in 2024.