TLDR
- US, UK, and Australia jointly sanctioned Russian hosting service Zservers for supporting LockBit ransomware operations, including asset freezes and travel bans
- Zservers administrators Alexander Mishin and Aleksandr Bolshakov, along with 4 others, were blacklisted for providing infrastructure to cybercriminals
- Chainalysis traced $5.2 million in cryptocurrency transactions linked to Zservers, which used sanctioned Russian exchange Garantex
- Zservers helped LockBit affiliates evade detection by reassigning infrastructure and managing cryptocurrency payments
- The sanctions are part of a broader crackdown on bulletproof hosting services that shield cybercriminals from law enforcement
In a coordinated action on February 11, 2025, the United States, United Kingdom, and Australia imposed sanctions on Russian hosting service provider Zservers for its role in supporting the LockBit ransomware operation. The sanctions target the company, its UK-based front organization XHOST Internet Solutions LP, and several key individuals involved in its operations.
The sanctions package includes asset freezes and travel bans that effectively cut Zservers off from the global financial system. Any property or funds connected to the company in sanctioned jurisdictions are now blocked, and financial institutions face penalties for engaging with the sanctioned entities.
At the center of the sanctions are Zservers administrators Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov. According to authorities, these individuals provided bulletproof hosting services to cybercriminals and helped LockBit affiliates avoid detection by reassigning infrastructure.
The U.S. Treasury’s Office of Foreign Assets Control reports that Mishin played a direct role in managing cryptocurrency transactions linked to ransomware operations. This included handling payments for Zservers’ services used by multiple ransomware groups beyond LockBit.
Blockchain analytics firm Chainalysis revealed the scale of Zservers’ operation, tracking at least $5.2 million in cryptocurrency transactions connected to the company. The firm found that Zservers processed payments through the sanctioned Russian exchange Garantex and other high-risk platforms that had minimal know-your-customer requirements.
The UK government expanded its sanctions to include four additional individuals: Ilya Sidorov, Dmitriy Bolshakov, Igor Odintsov, and Vladimir Ananev. These individuals were connected to Zservers’ operations and the broader cybercrime network.
Canadian law enforcement provided evidence of Zservers’ direct involvement with LockBit operations. In 2022, authorities raided the home of a LockBit affiliate and discovered they had been using Zservers’ services.
The investigation uncovered a pattern of deliberate assistance to cybercriminals. In one case, when a Lebanese organization complained about their IP address being used for ransomware attacks, Mishin claimed to have terminated the service. However, he secretly instructed Bolshakov to simply change the IP address for the attacker.
LockBit, which first appeared in 2019, has been responsible for major cyber attacks against organizations including Bangkok Airways, Accenture, and Canadian government services. In 2023, the group targeted the Industrial Commercial Bank of China in a high-profile attack.
The sanctions represent part of a broader international effort to disrupt ransomware operations. In February 2024, a coalition of law enforcement agencies, including the FBI, NCA, and Europol, dismantled LockBit’s operational network by seizing its command and control systems.
Zservers, based in Barnaul, Russia, openly advertised its services on cybercriminal forums. The company provided infrastructure designed to shield criminal activities from law enforcement by masking identities, locations, and online operations.
Bradley T. Smith, Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, emphasized that services like Zservers enable attacks on critical infrastructure in the United States and internationally.
The U.S. State Department pointed out that Russia continues to provide safe harbor for cybercriminals who target American interests and those of its allies. This has led to increased focus on disrupting the support services that enable ransomware operations.
Recent years have seen multiple successful prosecutions of bulletproof hosting operators. These include the shutdown of Lolek Hosted in 2023 and the sentencing of Mihai Ionut Paunescu to three years in federal prison for operating PowerHost[.]ro.
The most recent data shows that law enforcement agencies continue to investigate and prosecute individuals involved in providing bulletproof hosting services to cybercriminals.
