U.S. Arrests ‘Bulletproof Host’ Operators Tied to Ransomware, Dark Web, and Disinformation

U S Arrests Bulletproof Host Operators Who Are Tied To Ransomware Dark Web And Disinformation
Follow Us:
2.7k
1k

The U.S. Department of the Treasury recently penalized Russian hosting company Aeza Group for providing infrastructure to cybercriminals that ran ransomware attacks, drug markets, and disinformation campaigns.

The sanction issued against Aeza Group on July 1 is part of a bigger move by regulators cracking down on bulletproof host (BPH) services that offer what’s described as a “safe haven” to bad actors. Hosting providers with lax security or limited oversight may now face legal consequences if their services are used for illicit purposes.

Bradley T. Smith of the Treasury Department explained that bulletproof hosting is exactly what cybercriminals rely on for attacks, stealing U.S. tech, and selling black-market drugs.

“Treasury, in close coordination with the UK and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem,” Smith added.

What Makes a Host “Bulletproof” and Why Aeza Was Sanctioned

While BPHs are few and far between, they are real and often operate in jurisdictions with weaker regulations or standards on digital privacy and security.

The action against Aeza Group by the Treasury Department’s Office of Foreign Assets Control comes just months after the office sanctioned Russian BPH Zservers for its association with LockBit ransomware affiliates.

The term “bulletproof hosting” refers to web hosting providers that don’t respond to law enforcement requests, making them a perfect place to host:

  • Ransomware, malware, and phishing sites and infrastructure
  • Botnet command-and-control (C2) servers
  • Darknet marketplaces for drugs, counterfeited goods, etc.
  • Pirated media and copyright infringed content
  • Spam and scam infrastructure

Aeza Group is alleged to have ignored abuse complaints and law enforcement requests. While in operation, it either hosted or was tied to several threat actor groups:

  • BianLian ransomware group: A ransomware gang that encrypted files and threatened to leak data if a ransom wasn’t paid. Most of its victims are U.S. healthcare, education, and manufacturing infrastructure.
  • Lumma and Redline info-stealer dashboards: These malware-as-a-service (MaaS) platforms steal things like browser cookies, login credentials, crypto wallets, and session tokens, typically from U.S. tech companies, defense contractors, and average users.
  • Darknet marketplace BlackSprut: A Russian-based marketplace that focused on drug sales, including opioid and fentanyl, primarily targeting Russian and U.S. based buyers. It even had a Google Maps-style interface that showed drop-off points.
  • Associated with Doppelgänger disinformation campaign: A Russia-linked operation that copied otherwise legitimate U.S. news sites to spread false information, particularly pro-Kremlin propaganda.

Four Aeza Group personnel were identified and arrested by Russian law enforcement, including CEO Arsenii Penzev, general director Yurii Bozoyan, technical director Vladimir Gast, and co-owner Igor Knyazev.

They are held pursuant to Executive Orders 13694, 14144, and 14306, all of which give the U.S. Treasury the power to arrest anyone involved in cyber fraud, malicious cyber activity, even if done indirectly.

Hosts Are in the Crosshairs Whether They Know It or Not

Web hosts now sit at a crossroads: They may be unaware they’re hosting bad actors, but are legally responsible if they are found out. In this role, hosts have the choice to be passive enablers or enforcers.

The issue is that there is no blanket enforcement for many countries to actually “know thy customer.” And even when guidelines and regulations are in place, it’s easy to use forged documents, fake or stolen identities, prepaid cards or crypto, and proxy registration or VPNs.

Map of world - Malware impact by country based on Recorded Future Network Intelligence
Malware impact by country based on Recorded Future Network Intelligence. Credit: Recorded Future

While the U.S. and others are cracking down on BPH services, WIRED reported in June that cybercriminals are increasingly shifting from traditional bulletproof hosting to residential proxy networks and VPN services, which makes detection and takedown more difficult.

Insights from an Insikt Group study also showed that the number of command-and-control (C2) servers doubled in 2024 while management panels jumped by 69%.

Thibault Seret, a researcher at the threat intelligence firm Team Cymru, told WIRED: “That’s the magic of a proxy service — you cannot tell who’s who. It’s good in terms of internet freedom, but it’s super, super tough to analyze what’s happening and identify bad activity.”

But criminals can evade detection at even the largest providers; there’s an industrywide lack of deep vetting and trust on who customers and end users are.

Host TypeIdentity VerificationRisk Level
Big Cloud providersLight KYC, automated onboardingModerate: They may have good response times and actions, but weak prevention
Reputable web hosts (with KYC)Photo ID, billing match, addressLow to Moderate: Even if there is weak prevention, cybercriminals prefer fast, no-questions-asked setups
Privacy/anonymity hostsAccept crypto, no ID neededHigh: Since anonymous signups and crypto-only payments are allowed
Bulletproof hostsNoneExtreme: Often ignores law enforcement and copyright notices with no questions asked

The fact is that most legitimate web hosts try to know their customers, but many still don’t really know who’s behind the keyboard, especially in regions with poor enforcement or where anonymizing tools are used.

Does that mean every web host provider needs to start requiring government-issued IDs? Maybe, but quite often, the real issues stem from what happens after threat actors have gained access and are actively using the infrastructure.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already issued strong warnings about the onslaught of fast-flux/bulletproof hosting techniques, and suggests:

  • Use threat detection tools to better identify malicious domains/sites/IP addresses running on the network
  • Keep an eye on unusual DNS activity, like domains that often change IP addresses, have short TTLs, or have multiple IPs in different countries, which may suggest botnet behavior
  • Stay in contact with customers if any odd behavior is detected
  • Stay connected with cybersecurity teams, including government response teams, law enforcement, or trusted private companies, and share any suspicious domains and IPs with them
  • Set and enforce strong rules in your terms of service to shut down abuse quickly once it’s found (so no loopholes are presented)

The last thing a host needs is to be held liable because they overlooked a single customer.