The U.S. Treasury Department has levied sanctions against Aeza Group, a Russia-based "bulletproof hosting" provider, along with its leadership and a cryptocurrency wallet linked to the organization. The sanctions are a response to Aeza Group's alleged role in hosting ransomware and infostealer operations.

Aeza Group allegedly provides specialized servers and other computer infrastructure to cybercriminals, enabling them to conduct ransomware campaigns and steal sensitive information. The Treasury's Office of Foreign Assets Control (OFAC) has included in its sanctions a crypto wallet containing $350,000, several Russian and UK-based companies, and four Russian nationals who are allegedly owners or executives at Aeza.

According to OFAC, Aeza Group, based in St. Petersburg, has been providing bulletproof hosting (BPH) services to ransomware and malware groups such as the Meduza and Lumma infostealer operators, BianLian ransomware, RedLine infostealer panels, and BlackSprut. Lumma reportedly infected approximately 10 million systems before being dismantled in a coordinated global effort in May.

Bradley T. Smith, the Treasury Department's acting under secretary for terrorism and financial intelligence, stated that "Cybercriminals continue to rely heavily on bulletproof hosting service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology and sell black-market drugs".

The sanctioned individuals include part owners Asenii Aleksandrovich Penzev and Yurii Meruzhanovich Bozoyan, who were previously arrested by Russian law enforcement for alleged involvement in BlackSprut, as well as Igor Anatolyevich Knyazev and Vladimir Vyacheslavovich Gast, who hold leadership positions within the company. Aeza Group-affiliated companies, including UK-based Aeza International and Russia-based subsidiaries Aeza Logistic and Cloud Solutions, are also subject to sanctions. All four individuals and related companies will have their assets frozen in the U.S., and U.S. companies are prohibited from conducting business with them or the Aeza Group.

Chainalysis reported that the sanctioned Tron blockchain address functioned as an administrative wallet, managing cash-outs from Aeza's payment processor, forwarding funds to various crypto exchanges, and occasionally receiving direct payments for Aeza's services. TRM Labs added that the crypto address had regular cash-out points to payment services providers and is connected through intermediary addresses to other cybercrime services and the sanctioned Russian crypto exchange Garantex.

This action follows February's globally coordinated sanctions against Zservers, another Russia-based bulletproof hosting provider that allegedly supported the LockBit ransomware-as-a-service group. The U.S. government is actively working to disrupt the cybercrime ecosystem by targeting the infrastructure that enables these activities.

These sanctions highlight the U.S. government's increasing focus on cryptocurrency in the context of cybercrime and sanctions evasion. Virtual currency service providers (VCSPs) are facing increased scrutiny and are expected to implement robust compliance programs to prevent money laundering and terrorist financing. The U.S. authorities are clamping down on crypto-related money laundering and tightening sanctions enforcement.