Fraud Management & Cybercrime,
Government,
Industry Specific
US, UK, and Australia Crack Down on Zservers for Its Role in Cybercrime
Authorities from the United States, the United Kingdom, and Australia have imposed sanctions on Zservers, a Russian bulletproof hosting service that has been widely utilized by cybercriminals and ransomware organizations. The service, based in Barnaul, Russia, has been promoted in underground forums as a means to avoid detection and enforcement actions by law enforcement and cybersecurity experts.
The LockBit ransomware group, known for its extensive attacks, is among Zservers’ clients, utilizing the service to execute coordinated ransomware campaigns. On Tuesday, a collaborative statement from the U.S. Department of the Treasury, Australia’s Department of Foreign Affairs and Trade, and the British Foreign, Commonwealth, and Development Office announced this sanction against the hosting service.
“Today’s trilateral action reinforces our joint commitment to dismantling all facets of this criminal network, regardless of its location, to safeguard our national interests,” stated Bradley Smith, acting undersecretary of the Treasury for Terrorism and Financial Intelligence.
The sanctions also target six individuals associated with Zservers, which include two key platform administrators. The imposed sanctions prohibit any financial transactions involving these entities by banks and individuals.
Investigators uncovered that, apart from simply leasing server space, Zservers’ administrators, Alexander Mishin and Aleksandr Bolshakov, facilitated cryptocurrency transfers that directly supported various cybercrimes. Reports indicate that in 2023, when approached by a Lebanese company requesting the shutdown of an IP address linked to a LockBit operation, the administrators complied but continued to support the group’s activities by reallocating different IP addresses.
As part of the recent enforcement measures, British authorities also closed a related operation by the name of XHOST, linked to the Zservers infrastructure, which was instrumental in enabling ransomware attacks within the UK. Australian officials indicated that Zservers provided critical infrastructure for storing stolen data from the MediBank breach, which affected Australia’s largest private health insurance provider.
This recent crackdown follows a series of actions taken by law enforcement that dismantled LockBit ransomware servers earlier this year, allowing authorities to better identify the malware frameworks utilized by the group and its affiliates. The LockBit Infrastructure Seized by US, UK Police operation marked a significant step in combating this ongoing threat.
In light of these developments, both the EU and the U.S. have increased their sanctions efforts against cybercriminals, reflecting a broader strategy to disrupt cybercrime networks effectively.
