Three countries have sanctioned the Russia-based hosting service Zservers for offering services to the notorious cryptocurrency ransomware gang LockBit. A Feb. 11 press release from the U.S. Treasury’s Office of Foreign Assets Control, Australia’s Department of Foreign Affairs and Trade, and the UK’s Foreign, Commonwealth & Development Office revealed a joint crackdown, sanctioning bulletproof hosting service provider Zservers and its UK-based front company, XHOST Internet Solutions LP. The sanctions include asset freezes, travel bans, and restrictions that cut Zservers off from the global financial system. This means any property or funds tied to them in sanctioned jurisdictions are blocked, and financial institutions risk penalties if they engage with them. For the unaware, bulletproof hosting service providers offer infrastructure designed to shield cybercriminals from law enforcement by masking identities, locations, and online activities. According to Bradley T. Smith, Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, bad actors rely on these services to orchestrate attacks on “US and international critical infrastructure.” The move also blacklists Zservers administrators Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, along with four other individuals tied to LockBit’s operations, cutting them off from global financial systems and imposing travel bans. You might also like: Phuket police arrest four Russian nationals accused of running crypto-ransomware attacks Zservers serviced clients beyond LockBit Authorities claim Mishin and Bolshakov, as Zservers administrators, provided bulletproof hosting to cyber criminals and reassigned infrastructure to LockBit affiliates to help them evade detection. Mishin also directed cryptocurrency transactions tied to ransomware operations , including payments for Zservers’ services used by multiple ransomware groups. According to a separate report from blockchain analytics firm Chainalysis, OFAC has added a crypto wallet linked to Mishin and three other wallets tied to Zservers to its Specially Designated Nationals list. Zservers was catering to a broad client base in the cybercrime world, the report added. Chainalysis traced at least $5.2 million in on-chain activity linked to Zservers, revealing that multiple ransomware affiliates beyond LockBit had sent funds to the service. Chainalysis also noted that Zservers cashed out through sanctioned Russian exchange Garantex and other high-risk platforms with little to no KYC enforcement. As previously covered by crypto.news, the LockBit ransomware group, first spotted in 2019, has been behind some of the biggest hacks and crypto extortion cases, including attacks on Bangkok Airways, Accenture, and Canadian government services. In February 2024, a global law enforcement coalition—including the FBI, NCA, Europol, and others—dismantled LockBit’s operational network by seizing its command and control systems. In December of that year, the U.S. Department of Justice charged a Russian national for working as a developer for the ransomware group. Read more: Russian ransomware generates over $500m in crypto proceeds, TRM Labs says
