US sanctions crypto wallet tied to ransomware, infostealer host

The US Treasury has sanctioned the Russia-based Aeza Group, along with its top brass and a crypto wallet connected to the service, for allegedly hosting ransomware and info-stealers. 

Aeza Group, a bulletproof hosting (BPH) services provider, allegedly sells access to specialized servers and other computer infrastructure to help cyber criminals conduct  ransomware campaigns and steal sensitive info , the Treasury’s Office of Foreign Assets Control (OFAC)  said  on Tuesday.

OFAC’s sanctions also include an  address with $350,000 in crypto , multiple Russian and UK-based companies, and four Russian nationals who allegedly partly own or are executives at Aeza.

Crypto users are frequently targeted with ransomware and other info-stealers, with blockchain security firm  CertiK attributing the bulk  of the $2.1 billion in stolen crypto for 2025 so far to phishing attacks that steal sensitive information such as crypto wallet keys.

OFAC sanctioned a Tron blockchain address that was an administrative wallet, handling cash-outs from Aeza’s payment processor, forwarding funds to various crypto exchanges and occasionally receiving direct payments for Aeza’s services, blockchain analytics firm Chainalysis  said  on Tuesday.

“On-chain analysis and additional research indicate that Aeza relied on a payment processor to receive payments for hosting services, thereby obscuring the traceability of customer deposits,” the firm added.+

  The sanctioned Tron crypto address was an administrative wallet that handled payments for Aeza, says Chainalysis. Source: Chainalysis

Blockchain intelligence firm TRM Labs  said  on Tuesday that the crypto address also had regular cash-out points to payment services providers and is connected through intermediary addresses to other cybercrime services and the sanctioned  Russian crypto exchange Garantex . 

OFAC alleged that Aeza Group, based in St. Petersburg, provided BPH services to ransomware and malware groups such as the Meduza and  Lumma infostealer operators , BianLian ransomware, RedLine infostealer panels, and BlackSprut, a Russian darknet marketplace. 

Aeza’s board of directors sanctioned

OFAC also sanctioned members of what it said was Aeza’s “board of directors,” made up of CEO and part owner Arsenii Aleksandrovich Penzev, general director and part owner Yurii Meruzhanovich Bozoyan, technical director Vladimir Vyacheslavovich Gast, and Igor Anatolyevich Knyazev, another part owner.

It claimed that Knyazev is managing the business after Penzev and Bozoyan were arrested by Russian law enforcement over their alleged connection to the illicit dark marketplace Blacksprut.

The  sanctions  mean all US assets connected to Aeza and those named are frozen. It’s also illegal for people in the US to conduct any financial transactions or have business dealings with them under threat of civil and criminal penalties. 

Global law enforcement targeting cybercrime infrastructure

Chainalysis said OFAC’s sanctions represent “another significant step” in targeting key cybercrime infrastructure.

“By sanctioning bulletproof hosting providers, the US government is attacking the supply chain that makes large-scale cybercrime possible, rather than just pursuing individual threat actors after attacks have occurred,” the firm said.

Meanwhile, TRM Labs said taking down businesses like Aeza’ reduces the “surface area of abuse” and provides “potential pressure points” for law enforcement to target in its ongoing war against cybercrime.