Treasury Sanctions Aeza Group for 350%000 in Cryptocurrency Transactions

The United States Treasury Department has intensified its efforts to combat cybercrime by targeting the Russia-based Aeza Group. On July 1, 2025, the Office of Foreign Assets Control (OFAC) added Aeza Group and three of its subsidiaries to the sanctions list. This action is in response to their involvement in providing “bulletproof hosting” services, which facilitate various illicit cyber activities, including ransomware and phishing attacks. OFAC has also sanctioned four key individuals associated with Aeza’s operations.

The Aeza Group is a significant player in the global cybercriminal ecosystem, providing critical infrastructure for ransomware attacks. These services, known as “bulletproof hosting,” are used to anonymize and protect the operations of cybercriminals worldwide. Bradley T. Smith, a Treasury official, highlighted the persistent danger posed by such providers and stressed the importance of taking decisive action against them.

Investigations into the Aeza Group have revealed a TRON cryptocurrency address with transactions exceeding $350,000. This address is linked to the BlackSprut dark market, which has handled over $900 million in cryptocurrency transactions and is suspected of trafficking chemicals, including fentanyl.

The sanctioned individuals are central figures in Aeza Group, managing its daily activities. The Treasury Department is committed to tracking and stopping cryptocurrency transactions tied to the blacklisted addresses, underscoring its determination to deter similar hosting services. Despite the sanctions, experts suggest that while these measures may reduce the options available to ransomware groups for hosting, the broad global market for BPH services presents ongoing challenges. Users of cryptocurrency platforms are urged to implement stringent security practices, such as strong authentication and careful adherence to guidelines.

By freezing assets and forbidding U.S. entities from engaging with Aeza and its affiliates, the Treasury Department hopes to dismantle this cybercriminal network. Such efforts are part of a broader strategy to cut off resources from those who support or engage in illicit online activities globally. The sanctions extend to Aeza Group's subsidiaries, including Aeza International Ltd., Aeza Logistic LLC, and Cloud Solutions LLC, as well as four individuals linked to the company: Arsenii Aleksandrovich Penzev, Yurii Meruzhanovich Bozoyan, Vladimir Vyacheslavovich Gast, and Igor Anatolyevich Knyazev. Penzev, the CEO and 33% owner of Aeza Group, was arrested in early April 2025 on charges of leading a criminal organization and enabling large-scale drug trafficking by hosting BlackSprut, an illicit drugs marketplace on the dark web. Bozoyan and two other Aeza employees, Maxim Orel and Tatyana Zubova, were also detained.

The sanctions highlight the critical role that BPH services play in facilitating disruptive ransomware attacks, stealing technology, and selling black-market drugs. These services are known for ignoring abuse reports and law enforcement takedown requests, often operating in countries with weak enforcement or intentionally vague legal standards. This makes them a resilient option for attackers to host their malicious infrastructure, including phishing sites and command-and-control (C2) servers, without disruption or consequences. Headquartered in St. Petersburg, Aeza Group is accused of leasing its services to various ransomware and information stealer families, such as BianLian, RedLine, Meduza, and Lumma, some of which have been used to target defense industrial base and technology companies and other victims worldwide.

A report published last July detailed the use of Aeza's infrastructure by the pro-Russian influence operation dubbed Doppelganger. Another threat actor that has availed the services of Aeza is Void Rabisu, the Russia-aligned threat actor behind RomCom RAT. These sanctions form part of a broader effort to dismantle the ransomware supply chain by targeting critical enablers like malicious hosting, C2 servers, and dark web infrastructure. As threat actors shift tactics, monitoring sanctioned entities, IP reputation scores, and abuse-resilient networks is becoming central to modern threat intelligence operations. The development comes nearly five months after the Treasury sanctioned another Russia-based BPH service provider named Zservers for facilitating ransomware attacks, such as those orchestrated by the LockBit group.