US Treasury Sanctions Russia-Based Aeza Group for Facilitating Ransomware Campaigns

The US Treasury has imposed sanctions on the Russia-based Aeza Group, its top executives, and a cryptocurrency wallet linked to the company. The sanctions target Aeza Group for allegedly providing bulletproof hosting (BPH) services that facilitate ransomware campaigns and the theft of sensitive information. The Treasury’s Office of Foreign Assets Control (OFAC) stated that Aeza Group sells access to specialized servers and other computer infrastructure to cybercriminals, enabling them to conduct malicious activities.

In addition to Aeza Group, the sanctions also include a cryptocurrency address containing $350,000 in crypto, multiple Russian and UK-based companies, and four Russian nationals who are either part owners or executives at Aeza. The sanctioned cryptocurrency address is an administrative wallet on the Tron blockchain, which handles cash-outs from Aeza’s payment processor and forwards funds to various crypto exchanges. This wallet occasionally receives direct payments for Aeza’s services, as indicated by blockchain analytics firm Chainalysis.

Chainalysis further noted that Aeza relied on a payment processor to receive payments for hosting services, which obscured the traceability of customer deposits. Blockchain intelligence firm TRM Labs revealed that the sanctioned Tron crypto address had regular cash-out points to payment service providers and was connected through intermediary addresses to other cybercrime services and the sanctioned Russian crypto exchange Garantex.

OFAC alleged that Aeza Group, based in St. Petersburg, provided BPH services to various ransomware and malware groups, including the Meduza and Lumma infostealer operators, BianLian ransomware, RedLine infostealer panels, and BlackSprut, a Russian darknet marketplace. The sanctions also target members of Aeza’s board of directors, including CEO and part owner Arsenii Aleksandrovich Penzev, general director and part owner Yurii Meruzhanovich Bozoyan, technical director Vladimir Vyacheslavovich Gast, and Igor Anatolyevich Knyazev, another part owner. Knyazev is reportedly managing the business after Penzev and Bozoyan were arrested by Russian law enforcement for their alleged connection to the illicit dark marketplace Blacksprut.

The sanctions mean that all US assets connected to Aeza and those named are frozen. It is also illegal for people in the US to conduct any financial transactions or have business dealings with them, under threat of civil and criminal penalties. This move represents a significant step in targeting key cybercrime infrastructure, as it attacks the supply chain that makes large-scale cybercrime possible, rather than just pursuing individual threat actors after attacks have occurred. By taking down businesses like Aeza, law enforcement reduces the “surface area of abuse” and provides “potential pressure points” for ongoing efforts against cybercrime.