U.S. authorities have imposed sanctions on a cryptocurrency wallet linked to Russia-based Aeza Group, a company accused of facilitating ransomware attacks and supporting darknet markets.
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) announced that the sanctions target Aeza Group’s entire cyber infrastructure, including its associated entities and four senior executives.
Aeza Group is alleged to have provided bulletproof hosting services, enabling ransomware gangs, malware operators, and darknet vendors to operate freely while evading law enforcement.
The sanctions also apply to Aeza International Ltd., a UK-based front company reportedly used to lease IP addresses to cybercriminals, along with two Russia-based subsidiaries—Aeza Logistic LLC and Cloud Solutions LLC.
OFAC named four senior executives in the designation, including CEO Arsenii Penzev and General Director Yurii Bozoyan, both of whom were previously arrested by Russian authorities for their roles in the darknet drug market Blacksprut.
Aeza’s infrastructure is believed to have supported several major cybercriminal groups, including Meduza and Lumma infostealer operators, BianLian ransomware actors, RedLine infostealer control panels, and the now-defunct Blacksprut marketplace. These services enabled threat actors to steal sensitive information and siphon funds from victims worldwide, including cryptocurrency users.
The sanctioned cryptocurrency address, hosted on the Tron blockchain, was identified as an administrative wallet used to collect payments for Aeza Group’s services. According to blockchain analytics firm Chainalysis, the wallet processed more than $350,000 in cryptocurrency, using a third-party payment processor to obscure the financial trail and hinder tracing efforts.
Investigators discovered that the wallet received direct payments from clients—including infostealer vendors—and transferred illicit funds to various crypto exchanges.
A separate analysis by blockchain intelligence firm TRM Labs confirmed these findings, reporting that the wallet showed “regular cash-out activity to global cryptocurrency exchanges” and payment processors. Analysts noted that the payment patterns closely matched Aeza’s known pricing model, further suggesting that cybercriminals, including infostealer operators, were among Aeza’s clientele.
TRM also identified links between the wallet and other cybercriminal platforms via intermediary addresses, including connections to the sanctioned Russian cryptocurrency exchange Garantex.
Following the sanctions announcement, websites linked to Aeza Group and its affiliates reportedly went offline.
“Today’s designations highlight a growing focus by authorities on dismantling not just individual cybercriminals, but the infrastructure that enables their operations,” TRM stated.
Aeza Group’s involvement in facilitating global cybercrime illustrates the critical role infrastructure providers play in enabling threat actors—and how targeting them can serve as a strategic pressure point for law enforcement and regulators.
Earlier this year, OFAC, in coordination with the United Kingdom and Australia, also sanctioned another Russia-based bulletproof hosting provider, Zservers, for supplying infrastructure to the LockBit ransomware group.
OFAC targets crypto wallets
In addition to targeting cybercriminal infrastructure, OFAC has increasingly focused on disrupting cryptocurrency-based financing of illicit activities. In April, the agency sanctioned eight crypto addresses linked to Yemen’s Houthi movement, which were allegedly used to fund arms purchases and support terrorist operations. Blockchain analysis revealed that more than $45 million had flowed through the sanctioned Russian exchange Garantex in connection with these transactions.
Similarly, in March, OFAC blacklisted 49 cryptocurrency wallets associated with Nemesis, a darknet marketplace operated by Iranian national Behrouz Parsarad. The platform was involved in trafficking fentanyl and other synthetic drugs, generating nearly $30 million in sales through Bitcoin and Monero before it was taken down in 2024.
