The United States, United Kingdom, and Australia have jointly imposed sanctions on Russia-based bulletproof hosting provider ZServers, accusing it of facilitating the notorious LockBit ransomware gang. The joint sanctions highlight rising international efforts to curb ransomware attacks linked to cryptocurrency payments.
ZServers and Its Alleged Role in Cybercrime
According to a February 11 announcement from the US Treasury’s Office of Foreign Assets Control (OFAC) and the UK’s Foreign Office, ZServers and its UK-based front company, XHOST Internet Solutions LP, are now subject to asset freezes and travel bans. In addition to targeting the hosting service, authorities have sanctioned six individuals allegedly involved in supporting LockBit’s cyber operations.
Bulletproof hosting providers, like ZServers, are known to offer anonymity tools that mask users’ locations, identities, and online activities. According to Bradley Smith, acting undersecretary for terrorism and financial intelligence at the US Treasury, such services are crucial enablers of cybercriminal activities, making it easier for hackers to operate without detection.
Global Law Enforcement Action Against LockBit
The sanctions follow a multi-national crackdown on LockBit in February 2024, which involved law enforcement agencies from 10 countries. Authorities have accused LockBit of inflicting billions of dollars in damages through cyberattacks, including high-profile breaches targeting Australia’s Medibank and the Industrial and Commercial Bank of China (ICBC) US.
LockBit operates using ransomware-as-a-service (RaaS), encrypting victims’ files and demanding cryptocurrency payments to prevent data leaks or deletion. The group has reportedly carried out over 7,000 attacks between June 2022 and February 2024, extorting nearly $1 billion in ransom payments.
Key Individuals and Sanctioned Crypto Wallets
Among the six individuals sanctioned are ZServers administrators Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, both Russian nationals. Authorities allege they played critical roles in directing LockBit’s crypto transactions and providing technical support for ransomware operations.
Additionally, blockchain analytics firm Chainalysis has linked multiple crypto wallets associated with Mishin and ZServers to illicit financial activities. These wallets have now been added to OFAC’s Specially Designated Nationals (SDN) list, meaning they are subject to US government sanctions.
This move echoes previous enforcement actions against Tornado Cash, a cryptocurrency mixer blacklisted by OFAC in August 2022 for allegedly facilitating the laundering of over $7 billion in illicit funds.
ZServers’ Onchain Activity and Links to Sanctioned Exchanges
Investigations into ZServers’ onchain activity indicate that various ransomware groups—including LockBit affiliates—have used its services to move and launder illicit funds. Chainalysis reports that ZServers received payments from multiple ransomware groups beyond LockBit, suggesting a wider criminal network operating through its infrastructure.
Moreover, ZServers has reportedly cashed out crypto through Garantex, a Russia-based exchange sanctioned by the US for money laundering. The firm also utilized merchant services and crypto exchanges that lack Know Your Customer (KYC) compliance, further complicating tracking efforts.
“In addition to ZServers’ nested infrastructure, we are able to use Reactor to visualize at least $5.2 million in onchain activity linked to high-risk and illicit entities,” Chainalysis stated in its report.
Broader Implications for Cybersecurity and Crypto Regulation
The latest sanctions underscore growing international collaboration in combating cyber threats and crypto-related crimes. While ransomware groups continue to exploit decentralized financial systems, governments are ramping up enforcement actions against service providers that enable their activities.
ZServers, which claims to offer hosting services in the US, Russia, Bulgaria, the Netherlands, and Finland, now faces significant legal and financial pressure. The crackdown serves as a warning to other bulletproof hosting providers, reinforcing the message that authorities will not tolerate infrastructure supporting ransomware attacks.
As regulatory scrutiny intensifies, crypto exchanges and DeFi platforms will likely face increased compliance requirements, especially regarding anti-money laundering (AML) measures. With sanctions tightening and compliance rules evolving, crypto firms and hosting providers face a stark choice: adapt to stricter regulations or risk being shut out of the global financial system.
