On February 11, 2025, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC), alongside the United Kingdom’s Foreign Commonwealth and Development Office (FCDO) and Australia’s Department of Foreign Affairs and Trade (DFAT), jointly sanctioned Zservers, a Russia-based bulletproof hosting provider, for its role in supporting LockBit ransomware attacks. The coordinated action targeted not only the company itself but also two Russian nationals — Aleksandr Sergeyeevich Bolshakov and Alexander Igorevich Mishin — along with three cryptocurrency addresses and a U.K. front company, XHOST Internet Solutions LP. This landmark enforcement action reveals a critical but often overlooked layer of the crypto crime ecosystem: the infrastructure providers that make ransomware operations possible.
The Exploit Mechanics
LockBit has historically been one of the most prolific Ransomware-as-a-Service (RaaS) groups in the world. The gang operates by developing ransomware tools and licensing them to affiliate attackers, who then deploy the malware against targets ranging from hospitals to financial institutions. LockBit was disrupted in a large, coordinated U.S.-U.K. takedown in February 2024, but its infrastructure and affiliate network have continued to pose a significant threat.
Zservers served as a critical enabler in this ecosystem. As a bulletproof hosting provider, Zservers allowed customers to pay for web hosting anonymously and was generally lenient on the content clients could host. According to the OFAC designation, Zservers had servers located in Russia, Bulgaria, the Netherlands, the United States, and Finland, offering server administration, support, equipment, and custom configuration services. The company also maintained aliases used to advertise its services on dark web forums, making it a one-stop shop for ransomware operators who needed reliable, anonymous infrastructure.
Affected Systems
The sanctions specifically targeted the financial infrastructure underpinning Zservers’ operations. Three cryptocurrency addresses associated with the company were added to OFAC’s Specially Designated Nationals (SDN) list, effectively freezing any assets held in those wallets and prohibiting U.S. persons from transacting with them. The U.K. Government characterized Zservers as “a key component of the Russian cybercrime supply chain” that “provides vital infrastructure for cybercriminals as they plan and execute attacks against the UK.”
Ransomware attacks have been a persistent priority for cybersecurity policy across the affected nations. Hospitals in the U.K. have been targeted by ransomware attacks, and the economic damage from these operations runs into the billions of dollars annually. Bitcoin, trading at approximately $95,747 on February 11, 2025, remains the primary payment rail for ransomware demands, though privacy coins and mixing services complicate tracing efforts.
The Mitigation Strategy
The coordinated sanctions represent a significant escalation in how governments are targeting the infrastructure layer of cybercrime, not just individual threat actors. By designating the hosting provider itself — and its front companies — the U.S., U.K., and Australia are signaling that providing services to ransomware groups carries real consequences, even if those providers claim ignorance of how their services are used.
For the crypto industry, the implications are substantial. Exchanges and wallet providers must now screen transactions against the newly added SDN addresses. Chainalysis, which provided on-chain analysis supporting the sanctions designation, has highlighted the growing role of blockchain analytics in identifying and disrupting ransomware financial networks. Ethereum, priced at approximately $2,602 on this date, also features in ransomware payment flows, particularly through decentralized exchanges and bridges.
Lessons Learned
The Zservers sanctions underscore several critical lessons for the cryptocurrency and cybersecurity communities. First, the threat landscape extends far beyond individual hackers or hacking groups — it includes an entire supply chain of service providers who knowingly or negligently facilitate criminal activity. Second, international coordination between law enforcement and regulatory bodies is becoming more sophisticated, with on-chain analysis playing an increasingly central role in building cases for sanctions and prosecutions. Third, the continued use of cryptocurrency as a ransomware payment mechanism means that the industry must invest heavily in compliance tools and transaction monitoring systems.
User Action Required
Cryptocurrency users and businesses should take immediate steps to ensure compliance with the new sanctions designations. Check all wallet addresses against the updated SDN list, particularly the three addresses associated with Zservers. Exchanges should update their transaction screening systems and train compliance teams on the new designations. Businesses that rely on third-party hosting providers should conduct due diligence to ensure they are not inadvertently using services connected to sanctioned entities. Finally, anyone involved in cryptocurrency transactions should maintain awareness of OFAC compliance requirements, as violations can result in severe civil and criminal penalties.
Disclaimer: This article is for informational purposes only and does not constitute legal or financial advice. Always consult with qualified professionals regarding compliance obligations.
bulletproof hosting is the real backbone of ransomware and nobody talks about it. LockBit literally couldnt operate without these guys
breach_hunter exactly. take down the hosting and ransomware cant deploy. crypto addresses are the downstream problem
XHOST Internet Solutions as a UK front company is wild. How does Companies House not catch these registrations sooner?
xhost companies house registration was 8 months old with a virtual office address. basic due diligence would have caught it
shell_game_ Companies House needs actual KYC for registered agents. a virtual office and 8 month old shell company shouldnt pass basic AML checks
xhost_trail_ Companies House registering an 8 month old shell with a virtual office is embarrassing. UK AML enforcement is a joke
breach_hunter exactly. sanctioning the hosting provider does 100x more damage than sanctioning another wallet. cut the infrastructure not the money trail
Sanctioning three crypto addresses feels symbolic more than anything. The funds have probably moved through mixers already.
Olga K. three addresses is symbolic but it sets a precedent. OFAC has gotten better at tracing over the last couple years
sanctioning 3 wallets while the ransomware affiliates just generate new ones. OFAC needs to go after the fiat off-ramps not the chain
The RaaS model keeps evolving. Take down LockBit and three more groups pop up with the same hosting infrastructure.
Marek B. the RaaS affiliate rotation is endless. disrupt one brand and the same operators join the next one within a week. hosting sanctions actually hurt them more
Marek B. exactly. LockBit got disrupted and BlackCat and Akira filled the gap within weeks. RaaS supply chain is endless
Marek B. BlackCat and Akira filling the LockBit gap within weeks. the affiliate model means the talent pool just rotates brands
Bolshakov and Mishin operating freely in Russia tells you everything. OFAC sanctions mean nothing when the host country wont extradite
Aleksi V. exactly. the naming of individuals is performative when Russia provides safe harbor. Bolshakov is probably still managing infrastructure from the same Moscow office
DFAT alongside OFAC and FCDO is interesting. three jurisdictions coordinating on a hosting provider means they understand infrastructure is the actual target now