The U.S. Department of the Treasury has imposed sanctions on Aeza Group, a Russia-based bulletproof hosting provider, for allegedly supporting a wide range of cybercriminal activities, including ransomware attacks, infostealer operations, darknet drug markets, and Russian disinformation campaigns.
Aeza Group is accused of providing infrastructure and specialized servers to major cybercriminal groups, such as the BianLian ransomware gang and operators of the Meduza, RedLine, and Lumma infostealers. The company also hosted infrastructure for BlackSprut, a major Russian darknet marketplace linked to drug trafficking, including fentanyl precursors.
Bulletproof hosting services like those offered by Aeza Group are designed to ignore abuse complaints and law enforcement takedown requests, giving cybercriminals a safe haven to host malware, launch attacks, and evade detection. Infostealers hosted by Aeza Group have been used to harvest personal data, passwords, and credentials from victims, which are then sold on darknet markets. The Lumma infostealer alone reportedly infected about 10 million systems before being dismantled in a global takedown in May 2025.
According to U.S. officials, Aeza Group’s infrastructure was used to target U.S. defense companies and technology vendors.
Sanctioned entities and individuals
The sanctions target not only Aeza Group, but also its affiliated companies, including Aeza International Ltd. (UK-based front company), Aeza Logistic LLC, and Cloud Solutions LLC (both Russia-based subsidiaries). Four key leaders of Aeza Group were sanctioned:
- Arsenii Aleksandrovich Penzev (CEO and 33% owner)
- Yurii Meruzhanovich Bozoyan (General Director and 33% owner)
- Vladimir Vyacheslavovich Gast (Technical Director)
- Igor Anatolyevich Knyazev (33% owner)
Implications and context
All property and interests in property of the designated entities and individuals within the U.S. or controlled by U.S. persons are now blocked, and U.S. persons are generally prohibited from conducting transactions with them. This action is part of a broader, coordinated international effort—especially with the UK—to disrupt the infrastructure that enables global cybercrime, following similar sanctions against other bulletproof hosting providers like Zservers earlier in 2025.
The Treasury emphasized that bulletproof hosting providers are a critical node in the cybercrime ecosystem, enabling ransomware attacks, technology theft, and illicit drug sales. These sanctions are intended to disrupt the technological and financial infrastructure supporting cybercriminals and signal continued international cooperation against cyber-enabled threats.
Aeza Group IP address blocks
Russia’s Aeza Group owns and operates several IPv4 and IPv6 address blocks, primarily under its autonomous system AS216246. The following are the main IP address blocks attributed to Aeza Group and its affiliates.
Aeza Group IPv4 Address Blocks (CIDR notation)
- 103.71.22.0/24
- 103.71.23.0/24
- 109.107.189.0/24
- 109.120.152.0/24
- 138.124.13.0/24
- 138.124.14.0/24
- 176.124.222.0/24
- 178.20.208.0/24
- 178.253.55.0/24
- 185.17.0.0/24
- 185.112.83.0/24
- 185.174.136.0/24
- 185.229.66.0/24
- 194.26.229.0/24
- 194.67.201.0/24
- 194.113.106.0/24
- 212.193.31.0/24
- 217.144.184.0/24
- 45.134.12.0/24
- 45.142.122.0/24
- 77.221.151.0/24
- 77.239.124.0/24
- 77.239.125.0/24
- 79.137.192.0/24
- 82.117.87.0/24
- 83.147.255.0/24
- 85.192.30.0/24
- 85.192.56.0/24
Aeza Group IPv6 Address Blocks
- 2a01:e5c0::/36
- 2a01:e5c0:1000::/36
- 2a01:e5c0::/35
- 2a0f:cdc6:2020::/44
Treasury press release
Below is the full press release issued by the US Department of the Treasury on July 1, 2025.
WASHINGTON — Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Aeza Group, a bulletproof hosting (BPH) services provider, for its role in supporting cybercriminal activity targeting victims in the United States and around the world. BPH service providers sell access to specialized servers and other computer infrastructure designed to help cybercriminals like ransomware actors, personal information stealers, and drug vendors evade detection and resist law enforcement attempts to disrupt their malicious activities. OFAC is also designating two affiliated companies and four individuals who are Aeza Group leaders. Finally, in coordination with the United Kingdom’s (UK) National Crime Agency (NCA), OFAC is designating an Aeza Group front company in the UK.
“Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. “Treasury, in close coordination with the UK and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem.”
Today’s action is being taken pursuant to Executive Order (E.O.) 13694, as further amended, and builds on OFAC’s February action targeting ZServers BPH. Today’s action also reflects Treasury’s continued work to combat cybercrime and degrade the support networks that enable malicious actors to target U.S. citizens, technology, and critical industries.
AEZA GROUP: KEY TECHNICAL SUPPORT FOR RANSOMWARE GROUPS, CYBERCRIME, AND ILLICIT DRUGS
Aeza Group, headquartered in St. Petersburg, Russia, has provided BPH services to ransomware and malware groups such as the Meduza and Lumma infostealer operators, who have used the hosting service to target the U.S. defense industrial base and technology companies, among other victims globally. Infostealers are often used to harvest personal identifying information, passwords, and other sensitive credentials from compromised victims. These credentials are then often sold on darknet markets for profit, making infostealer operators a key piece of the cybercrime ecosystem.
Aeza Group has also hosted BianLian ransomware, RedLine infostealer panels, and BlackSprut, a Russian darknet marketplace for illicit drugs. Darknet drug marketplaces allow for the anonymous purchase and shipment of narcotics over the internet, making them a present and increasing contributor to drug trafficking to the United States and worldwide. According to Treasury’s Financial Crimes Enforcement Network (FinCEN) and its supplemental advisory on fentanyl, criminal organizations use darknet marketplaces to sell precursor chemicals and manufacturing equipment used for the synthesis of fentanyl and other synthetic opioids, as well as to traffic fentanyl and other narcotics into the United States.
OFAC is designating Aeza Group pursuant to E.O. 13694, as further amended by E.O. 14144 and E.O. 14306, for being responsible or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose of or involve causing a misappropriation of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.
Aeza International Ltd. is the United Kingdom branch of Aeza Group. Aeza Group uses Aeza International to lease IP addresses to cybercriminals, including Meduza infostealer operators.
Aeza Logistic LLC and Cloud Solutions LLC are Russia-based subsidiaries that are 100% owned by Aeza Group.
OFAC is designating Aeza International Ltd., Aeza Logistic LLC and Cloud Solutions LLC pursuant to E.O. 13694, as further amended by E.O. 14144 and E.O. 14306, for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, Aeza Group, a person whose property and interests in property are blocked pursuant to E.O. 13694, as further amended by E.O. 14144 and E.O. 14306.
KEY AEZA GROUp PERSONNEL
Arsenii Aleksandrovich Penzev (Penzev) is the CEO and 33% owner of Aeza Group. Penzev has been involved in multiple bulletproof hosting and illicit drug marketplace businesses and has been arrested by Russian law enforcement for his placement of illicit drug marketplace Blacksprut onto Aeza Group infrastructure.
Yurii Meruzhanovich Bozoyan (Bozoyan) is the general director and 33% owner of Aeza Group. Bozoyan helped manage the finances of Aeza Group and was similarly arrested for his involvement in Blacksprut.
Vladimir Vyacheslavovich Gast (Gast) is the technical director for Aeza Group and works closely with Penzev and Bozoyan. Gast manages Aeza Group’s internal network and oversaw the technical details of placing Blacksprut on Aeza Group infrastructure.
Igor Anatolyevich Knyazev (Knyazev) is the 33% owner of Aeza Group and is managing the company during the absence of Penzev and Bozoyan.
OFAC is designating Penzev, Bozoyan, Gast, and Knyazev pursuant to E.O. 13694, as further amended by E.O. 14144 and E.O. 14306, for being or having been a leader, official, senior executive officer, or member of the board of directors of Aeza Group.
SANCTIONS IMPLICATIONS
As a result of today’s action, all property and interests in property of the designated or blocked persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked persons.
Violations of U.S. sanctions may result in the imposition of civil or criminal penalties on U.S. and foreign persons. OFAC may impose civil penalties for sanctions violations on a strict liability basis. OFAC’s Economic Sanctions Enforcement Guidelines provide more information regarding OFAC’s enforcement of U.S. economic sanctions. In addition, financial institutions and other persons may risk exposure to sanctions for engaging in certain transactions or activities involving designated or otherwise blocked persons. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated or blocked person, or the receipt of any contribution or provision of funds, goods, or services from any such person.
The power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the Specially Designated Nationals and Blocked Persons List (SDN List), but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information concerning the process for seeking removal from an OFAC list, including the SDN List, or to submit a request, please refer to OFAC’s guidance on Filing a Petition for Removal from an OFAC List.
