Authorities in the US, Australia, and the UK have sanctioned the Russia-based bulletproof hosting services provider Zservers for allegedly supplying services to the LockBit crypto ransomware gang.
The sanctions include asset freezes on Zservers and its UK-based front company, XHOST internet Solutions LP, alongside asset freezes and travel bans for six individuals, the US Treasury’s Office of Foreign Assets Control (OFAC) and the UK’s Foreign Office said on Feb. 11.
The US Treasury said bulletproof hosting service providers are known to sell a range of tools that can mask locations, identities, and activities online. The department’s acting under-secretary for terrorism and financial intelligence, Bradley Smith, said cybercriminals rely on third-party network service providers like Zservers to “enable their attacks on US and international critical infrastructure.”
Authorities from ten countries launched a joint operation to disrupt LockBit in February 2024, alleging the group had caused billions of dollars in damage, including a hack on Australia’s insurance provider Medibank and the Industrial Commercial Bank of China US.
LockBit uses ransomware, a type of malware that encrypts computer files and threatens to either delete or leak them unless the victim pays, usually with cryptocurrency.
Among the six individuals being sanctioned are two Zservers administrators — Russian nationals Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov — who were said to have a role in directing LockBit crypto transactions and supporting the gang’s attacks.
Blockchain analytics firm Chainalysis said in a Feb. 11 report that a crypto address linked to Mishin and three other wallets linked to Zservers are now on OFAC’s Specially Designated Nationals (SDN) list, meaning they’re targeted for special sanctions by the US government.
OFAC had added 44 Tornado Cash smart contract addresses to the list in August 2022, alleging that individuals had used the mixer to launder more than $7 billion worth of crypto.
Zservers onchain activity reveals that various actors sent funds to Zservers for their services, such as ransomware groups and affiliates, including “multiple different ransomware affiliates — beyond LockBit,” Chainalysis said in its report.
At the same time, the firm said Zservers had cashed out funds at sanctioned Russian-based exchange Garantex, merchant services and exchanges that don’t enforce Know Your Customer rules.
Chainalysis was able to track some of Zservers’ onchain activities and alleged connections to ransomware groups. Source: Chainalysis
“In addition to Zservers’ nested infrastructure, we are able to use Reactor to visualize its at least $5.2 million in onchain activity and thorough connectivity to the high-risk and illicit entities,” Chainalysis said.
Related: Ransomware losses down 35% year-over-year: Chainalysis
Zservers homepage lists servers in the US, Russia, Bulgaria, the Netherlands and Finland, and claims to offer support, equipment, and custom configuration services.
LockBit was first noticed by authorities in September 2019 and is estimated to have extorted up to $1 billion over 7,000 cyberattacks between June 2022 and February 2024.
Magazine: Has altseason finished? XRP ETF applications flood in, and more: Hodler’s Digest, Feb. 2 – 8
