U.S. Arrests ‘Bulletproof Host’ Operators Tied to Ransomware, Dark Web, and Disinformation

Writer: Jordan Sprogis

Jordan Sprogis, Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

Editor: Lillian Castro

Lillian Castro, Senior Editor

Lillian Castro brings more than 30 years of editing and journalism experience to our team. She has written and edited for major news organizations, including The Atlanta Journal-Constitution and the New York Times, and she previously served as an adjunct instructor at the University of Florida. Today, she edits HostingAdvice content for clarity, accuracy, and reader engagement.

Reviewer: Cristian Lopez

Cristian Lopez, News Manager

Cristian Lopez uses his Business Marketing background from the University of Illinois at Chicago to create comfortable environments for customers, clients, and colleagues to share their thoughts and ideas openly. From interviewing tech leaders to conducting UX market research projects, Cristian knows the importance of storytelling — a key variable for innovation and inspiration. His goal at HostingAdvice is to wow readers on the ever-evolving nature of the tech industry and bring his audience the most reliable and exciting content on all things hosting.

Follow the HostingAdvice team for a daily dose of tech news, trending IT discussions, and interviews with the web's most innovative technologists.
Follow Us:
2.7k
1k

The U.S. Department of the Treasury recently penalized Russian hosting company Aeza Group for providing infrastructure to cybercriminals that ran ransomware attacks, drug markets, and disinformation campaigns.

The sanction issued against Aeza Group on July 1 is part of a bigger move by regulators cracking down on bulletproof host (BPH) services that offer what’s described as a “safe haven” to bad actors. Hosting providers with lax security or limited oversight may now face legal consequences if their services are used for illicit purposes.

Bradley T. Smith of the Treasury Department explained that bulletproof hosting is exactly what cybercriminals rely on for attacks, stealing U.S. tech, and selling black-market drugs.

“Treasury, in close coordination with the UK and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem,” Smith added.

What Makes a Host “Bulletproof” and Why Aeza Was Sanctioned

While BPHs are few and far between, they are real and often operate in jurisdictions with weaker regulations or standards on digital privacy and security.

The action against Aeza Group by the Treasury Department’s Office of Foreign Assets Control comes just months after the office sanctioned Russian BPH Zservers for its association with LockBit ransomware affiliates.

The term “bulletproof hosting” refers to web hosting providers that don’t respond to law enforcement requests, making them a perfect place to host:

Aeza Group is alleged to have ignored abuse complaints and law enforcement requests. While in operation, it either hosted or was tied to several threat actor groups:

Four Aeza Group personnel were identified and arrested by Russian law enforcement, including CEO Arsenii Penzev, general director Yurii Bozoyan, technical director Vladimir Gast, and co-owner Igor Knyazev.

They are held pursuant to Executive Orders 13694, 14144, and 14306, all of which give the U.S. Treasury the power to arrest anyone involved in cyber fraud, malicious cyber activity, even if done indirectly.

Hosts Are in the Crosshairs Whether They Know It or Not

Web hosts now sit at a crossroads: They may be unaware they’re hosting bad actors, but are legally responsible if they are found out. In this role, hosts have the choice to be passive enablers or enforcers.

The issue is that there is no blanket enforcement for many countries to actually “know thy customer.” And even when guidelines and regulations are in place, it’s easy to use forged documents, fake or stolen identities, prepaid cards or crypto, and proxy registration or VPNs.

Map of world - Malware impact by country based on Recorded Future Network Intelligence
Malware impact by country based on Recorded Future Network Intelligence. Credit: Recorded Future

While the U.S. and others are cracking down on BPH services, WIRED reported in June that cybercriminals are increasingly shifting from traditional bulletproof hosting to residential proxy networks and VPN services, which makes detection and takedown more difficult.

Insights from an Insikt Group study also showed that the number of command-and-control (C2) servers doubled in 2024 while management panels jumped by 69%.

Thibault Seret, a researcher at the threat intelligence firm Team Cymru, told WIRED: “That’s the magic of a proxy service — you cannot tell who’s who. It’s good in terms of internet freedom, but it’s super, super tough to analyze what’s happening and identify bad activity.”

But criminals can evade detection at even the largest providers; there’s an industrywide lack of deep vetting and trust on who customers and end users are.

Host TypeIdentity VerificationRisk Level
Big Cloud providersLight KYC, automated onboardingModerate: They may have good response times and actions, but weak prevention
Reputable web hosts (with KYC)Photo ID, billing match, addressLow to Moderate: Even if there is weak prevention, cybercriminals prefer fast, no-questions-asked setups
Privacy/anonymity hostsAccept crypto, no ID neededHigh: Since anonymous signups and crypto-only payments are allowed
Bulletproof hostsNoneExtreme: Often ignores law enforcement and copyright notices with no questions asked

The fact is that most legitimate web hosts try to know their customers, but many still don’t really know who’s behind the keyboard, especially in regions with poor enforcement or where anonymizing tools are used.

Does that mean every web host provider needs to start requiring government-issued IDs? Maybe, but quite often, the real issues stem from what happens after threat actors have gained access and are actively using the infrastructure.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already issued strong warnings about the onslaught of fast-flux/bulletproof hosting techniques, and suggests:

The last thing a host needs is to be held liable because they overlooked a single customer.

About the Author

Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

« BACK TO: BLOG

Meet the Experts

Our team of experts with a combined 50+ years of experience in web hosting serve insight and advice to more than 20 million users!

We Know Hosting

$

4

8

,

2

8

3

spent annually on web hosting!