As AI advances, so do criminals’ tactics. See what TRM is doing to counter AI-enabled crime.

Solutions
Learn
Company
Request a demo
Search
Search
Insights
February 11, 2025

US, UK and Australia Target Zservers and LockBit Affiliates

TRM InsightsInsights
US, UK and Australia Target Zservers and LockBit Affiliates

Today, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), in coordination with Australia’s Department of Foreign Affairs and Trade and the United Kingdom’s Foreign, Commonwealth & Development Office, announced sanctions against Zservers, a Russia-based bulletproof hosting service provider, for its role in supporting LockBit ransomware attacks. The designations included multiple Zservers employees and administrators, as well as the UK front company for Zservers, XHOST Internet Solutions LP.

LockBit is one of the most widely deployed ransomware variants and has been responsible for major cyberattacks, including the November 2023 breach of the Industrial Commercial Bank of China’s U.S. broker-dealer. Zservers has played a critical role in facilitating LockBit’s operations by providing specialized infrastructure designed to evade law enforcement detection and cybersecurity defenses.

Zservers has also supported other ransomware variants, including Dharma, Hive, VoidCrypt, and Venus Ransomware. 

Bulletproof Hosting Sites

A bulletproof hosting (BPH) site is a web hosting service that provides infrastructure designed to evade law enforcement detection and takedown efforts. These hosting providers often market themselves as tolerant of illegal or unethical activities, offering protection from domain seizures, legal complaints, and cybersecurity monitoring.

Bulletproof hosting providers are known for resisting law enforcement actions. They typically ignore abuse reports from authorities and cybersecurity firms, allowing cybercriminals to continue operating without disruption. Many of these services operate in jurisdictions with weak cybercrime enforcement, making it difficult for international authorities to shut them down.

Anonymity is another key feature of bulletproof hosting sites. These providers often accept cryptocurrency payments and require little or no verification from customers, making it difficult to trace the individuals using their services. When servers are flagged or blacklisted, bulletproof hosting operators quickly reassign new IP addresses or relocate services to different jurisdictions to avoid being shut down.

These hosting services are widely used by cybercriminals for activities such as ransomware operations, phishing campaigns, malware distribution, botnets, and darknet marketplaces. Ransomware groups, for example, use bulletproof hosting to operate command-and-control servers that manage ransomware infections. Phishing and fraud operations rely on these services to host fraudulent banking sites, identity theft operations, and credential-stealing campaigns. Botnets, which launch distributed denial-of-service (DDoS) attacks, often use bulletproof hosting to remain online even after being identified by cybersecurity researchers. Darknet marketplaces that facilitate the sale of drugs, weapons, and stolen data also depend on these hosting services to maintain their operations.

Zservers, the Russia-based hosting provider sanctioned today by OFAC, has been identified as a key enabler of LockBit ransomware affiliates. Investigations have shown that Zservers leased IP addresses, servers, and networking tools that were used in ransomware attacks. Administrators at Zservers also facilitated cryptocurrency transactions to sustain these cybercriminal operations.

By sanctioning Zservers and its administrators, international authorities are targeting the infrastructure that allows ransomware groups to thrive. This action reflects a growing effort to dismantle cybercriminal support networks, rather than just focusing on individual hackers.

Zservers: A Critical Enabler of Ransomware Attacks

Zservers, headquartered in Barnaul, Russia, has actively marketed BPH services on cybercriminal forums, offering LockBit affiliates access to IP addresses, servers, and networking tools used to launch ransomware attacks. Bulletproof hosting is a type of internet hosting service that offers greater leniency toward criminal or illicit activities. These services are designed to resist takedown efforts from law enforcement and cybersecurity firms, making them ideal for cybercriminals who need to host malware, phishing sites, command-and-control servers, and other illegal content.

In 2022, Canadian law enforcement discovered a LockBit affiliate using a Zservers-leased IP address to control ransomware malware. In 2023, a Russian cybercriminal purchased IP addresses from Zservers, likely for use as LockBit chat servers to coordinate ransomware operations. Zservers has a documented history of quickly reassigning new IP addresses to LockBit affiliates when prior ones were flagged by victims or law enforcement.

As part of today's action, OFAC also designated two Russian nationals, Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, who serve as Zservers administrators. Mishin and Bolshakov have knowingly provided infrastructure support to LockBit and directed virtual currency transactions to sustain ransomware operations.

Lockbit despositing funds to Zservers as shown in TRM Graph Visualizer
Snapshot of Ransomware exposure to Zservers in TRM’s graph visualizer

A Coordinated International Crackdown on Ransomware

Today's sanctions build on recent international enforcement actions targeting the LockBit ransomware ecosystem.

February 2024: Takedown of LockBit’s Infrastructure

In February 2024, a joint operation involving the UK’s National Crime Agency, the U.S. Department of Justice, the FBI, and Europol disrupted LockBit’s core infrastructure. This operation led to the seizure of LockBit-controlled servers and websites, crippling their ability to conduct new attacks. The operation also identified LockBit affiliates and their on-chain financial transactions. TRM Labs' analysis estimated that addresses controlled by LockBit administrators and affiliates received over USD 200 million in Bitcoin transactions since 2022, with over USD 110 million still unspent on-chain.

May 2024: Identification of LockBit’s Leader

In May 2024, the United States and the United Kingdom jointly sanctioned Dmitry Yuryevich Khoroshev, the identified leader of LockBit, operating under the alias “LockBitSupp.” The U.S. Department of Justice unsealed an indictment against Khoroshev, charging him with conspiracy to commit fraud, extortion, and money laundering. The U.S. Department of State announced a financial reward for information leading to his arrest.

Findings from TRM Labs' 2025 Crypto Crime Report

The sanctions against Zservers come amid a sharp rise in ransomware attacks and shifting laundering tactics. According to TRM Labs’ latest report, ransomware remains one of the fastest-growing cyber threats, with 5,635 publicly reported attacks in 2024, surpassing 5,223 in 2023.

Ransomware groups are demanding record-breaking payments, including a USD 75 million ransom paid to the Dark Angels ransomware group in March 2024. Traditional cryptocurrency mixers are being replaced by cross-chain bridges, allowing criminals to move funds across multiple blockchains to evade detection. New ransomware groups, including Brain Cipher, dAn0n, DragonForce, Fog, Funksec, RansomHub, Sarcoma, and Trinity, have emerged, targeting critical sectors like healthcare and government infrastructure.

A Larger Strategy to Combat Cybercrime

Today's action is part of a wider international effort to disrupt ransomware networks by targeting not only the attackers themselves but also the infrastructure and financial facilitators that sustain them.

"Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on U.S. and international critical infrastructure," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradl Smith. "Today’s trilateral action with Australia and the United Kingdom underscores our collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security."

With $2.2 billion stolen in crypto-related hacks in 2024, authorities are intensifying efforts to disrupt cybercriminal networks. By sanctioning infrastructure providers like Zservers, governments are working to cut off the technical and financial lifelines that enable ransomware groups to thrive.

This is some text inside of a div block.
Subscribe and stay up to date with our insights
arrow right
February 20, 2024

UK's NCA, U.S. DOJ, FBI and Europol Disrupt Lockbit Ransomware Group

arrow right
May 7, 2024

US and UK Authorities Identify, Sanction and Unseal Indictment Against Leader of LockBit Ransomware Group

arrow right
October 11, 2024

Ransomware in 2024: Latest Trends, Mounting Threats, and the Government Response

arrow right
February 10, 2025

Now Live: The 2025 Crypto Crime Report

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT