Three nations have imposed sanctions on the Russia-based hosting service Zservers for providing services to the infamous cryptocurrency ransomware gang LockBit.
A joint effort by the U.S. Treasury’s Office of Foreign Assets Control, Australia’s Department of Foreign Affairs and Trade, and the UK’s Foreign, Commonwealth & Development Office resulted in the sanctioning of Zservers and its UK-based front company, XHOST Internet Solutions LP, as announced in a press release on Feb. 11.
The sanctions include freezing assets, imposing travel bans, and cutting off Zservers from the global financial system. This means that any property or funds associated with them in sanctioned jurisdictions are blocked, and financial institutions face penalties if they engage with them.
Bulletproof hosting service providers like Zservers offer infrastructure that helps cybercriminals evade law enforcement by concealing identities, locations, and online activities. According to Bradley T. Smith, Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, these services are utilized by bad actors to launch attacks on “US and international critical infrastructure.”
The sanctions also target Zservers administrators Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, as well as four other individuals connected to LockBit’s operations, restricting their access to global financial systems and imposing travel bans.
Zservers’ Client Base and Activities
The authorities allege that Mishin and Bolshakov, as Zservers administrators, provided bulletproof hosting to cyber criminals and facilitated the evasion of detection by LockBit affiliates. Mishin was also involved in directing cryptocurrency transactions related to ransomware operations, including payments for Zservers’ services used by multiple ransomware groups.
According to a report from blockchain analytics firm Chainalysis, OFAC has added a crypto wallet linked to Mishin and three other wallets associated with Zservers to its Specially Designated Nationals list.
Chainalysis revealed that Zservers served a wide range of clients in the cybercrime realm, with at least $5.2 million in on-chain activity traced back to the service. Multiple ransomware affiliates beyond LockBit were found to have sent funds to Zservers, which cashed out through sanctioned Russian exchange Garantex and other platforms with lax KYC enforcement.
LockBit, known for its involvement in major hacks and crypto extortion cases, was dismantled by a global law enforcement coalition in February 2024, with the seizure of its command and control systems. In December of the same year, the U.S. Department of Justice charged a Russian national for working as a developer for the ransomware group.