United States authorities have sanctioned a crypto wallet linked to Russia-based Aeza Group, accused of enabling ransomware operations and darknet markets.
According to the Treasury’s Office of Foreign Assets Control (OFAC), the designation targets Aeza Group’s entire cyber infrastructure, including affiliated entities and four individuals in leadership roles.
The group allegedly offered bulletproof hosting services that allowed ransomware operators, malware distributors, and darknet vendors to operate with impunity by evading detection and law enforcement.
The sanctions extend to Aeza International Ltd., a UK-based front company used to lease IP addresses to cybercriminals, as well as two Russia-based subsidiaries, Aeza Logistic LLC and Cloud Solutions LLC.
OFAC also designated four senior executives, including CEO Arsenii Penzev and general director Yurii Bozoyan, both of whom were arrested by Russian law enforcement for their involvement in the darknet drug marketplace Blacksprut.
Aeza’s infrastructure reportedly supported groups like Meduza and Lumma infostealer operators, BianLian ransomware, RedLine infostealer panels, and the now-defunct Blacksprut marketplace. These services allowed threat actors to steal sensitive data and siphon funds from global victims, including crypto users.
The designated crypto address, hosted on the Tron blockchain, was identified as an administrative wallet used to receive payments for Aeza’s services. According to Chainalysis, the wallet processed over $350,000 in crypto and funneled payments through a third-party processor to obscure the financial trail and make tracing difficult.
Investigators reportedly found that the wallet received direct payments from customers, including infostealer vendors, and routed illicit funds to various cryptocurrency exchanges.
A separate report from blockchain intelligence firm TRM Labs corroborated these findings, noting that the designated address showed “regular cash-out points to global cryptocurrency exchanges” and payment service providers.
Analysts observed that the payment patterns aligned with known pricing for Aeza’s hosting services, suggesting that infostealer vendors and other threat actors were likely among the group’s customers.
TRM also identified links between the wallet and other cybercrime platforms through intermediary addresses, including connections to the sanctioned Russian crypto exchange Garantex.
TRM said that websites linked to Aeza and its affiliates had gone offline shortly after the designation was announced.
“Today’s designations underscore a continuing trend of growing focus by authorities on disrupting not just individual threat actors, but also the infrastructure that enables their operations,” TRM said.
“Aeza Group’s role in facilitating global cybercrime illustrates how infrastructure providers can serve as critical enablers—and potential pressure points—for law enforcement and regulators alike.”
Earlier this year, OFAC led a coordinated effort with the United Kingdom and Australia to sanction another Russia-based bulletproof hosting provider, Zservers, for offering infrastructure to the LockBit ransomware gang.
OFAC targets crypto wallets
Beyond infrastructure, OFAC has also been focused on dismantling crypto-based cybercrime financing. In April, the agency sanctioned eight crypto addresses used by Yemen’s Houthi movement to fund arms procurement and terrorist activities. On-chain data showed over $45 million moved through Garantex in connection with these operations.
Similarly, in March, OFAC blacklisted 49 crypto wallets tied to Nemesis, a darknet marketplace operated by Iranian national Behrouz Parsarad. The site was involved in trafficking fentanyl and other synthetic drugs, processing nearly $30 million in sales using Bitcoin and Monero before its seizure in 2024.
