When the US Treasury sanctioned Aeza Group last July, the Russian hosting provider was already running some of the internet’s darkest operations. BlackSprut drug marketplace. BianLian ransomware. The sprawling Doppelgänger disinformation machine cloning Western media outlets.

Earlier that spring, Russian police had raided Aeza’s offices and arrested its founders on charges of running a criminal enterprise.

Yet the servers kept humming. The fake Der Spiegel articles kept loading. The ransomware stayed online.

The Aeza case exposes something uncomfortable: Western sanctions hit the bad guys while the companies keeping them online face zero consequences. The network’s survival shows how Russian state interests and organized crime have merged into a self-funding intelligence operation that exploits Western rules designed to protect internet freedom.

Europe Inside The Crosshairs Outside The Fight

Bullionbite

·

Dec 5

Read full story

Aeza started as bulletproof hosting out of St. Petersburg, the kind that advertises on darknet forums promising to ignore abuse complaints. Founders Arseny Penzev and Yuri Bozoyan built an empire offering rock-solid reliability with one key feature: they’d never take your site down. Didn’t matter what you were doing with it.

The pitch was elegant. High-performance servers for $6 per month with guaranteed uptime. Western law enforcement be damned.

They owned their networks and IP addresses. When one got blacklisted, they’d switch to a new one. Like changing phone numbers when the cops get too close.

BlackSprut’s hosting fees paid for everything. The marketplace grabbed about 28% of global darknet drug sales after Hydra collapsed, but it wasn’t typical. It flew banners supporting Russia’s war in Ukraine. Blockchain investigators tracked over $350,000 flowing from Aeza through Garantex, a sanctioned Russian crypto exchange known for laundering ransomware money.

Drug money from Chicago and Berlin was funding servers that hosted fake French government websites.

Doppelgänger was the real prize. The campaign created perfect clones of Le Monde, Der Spiegel, The Guardian, even official French government sites. They’d run Facebook ads that sent people through sophisticated filters. Security researchers got harmless cooking blogs. Regular French citizens landed on sites that looked exactly right, reading about how sanctions were destroying Europe or Ukrainian corruption running wild.

The scale was massive. Thousands of fake domains using cheap extensions. When France reclaimed one domain through legal channels, operators registered a new one and pointed it at the same server within minutes.

Researchers identified Aeza as the hub, the one provider willing to ignore thousands of abuse complaints.

Those April arrests should have ended it. Moscow went after Penzev, Bozoyan, and their technical director on organized crime charges. Police raided offices on Zolnaya Street, former headquarters of Wagner PMC.

Game over, right?

The infrastructure kept running. Doppelgänger actually intensified before European elections. BianLian kept hitting hospitals. The explanation seems obvious: state capture. Russian security services likely made the founders the usual offer. Work for us or prison. Their freedom became the price for nationalizing the network.

Western governments saw it. Treasury designated Aeza and its subsidiaries that July, citing ransomware, credential theft, disinformation. The UK specifically called out Aeza International for destabilizing Ukraine. Sanctions were supposed to freeze assets, cut banking, force providers to disconnect them.

What happened was corporate shell games at remarkable speed.

Within 48 hours, a new UK company called Hypercore Ltd appeared. Smart Digital Ideas registered in Belgrade. Datavice incorporated in Uzbekistan. The strategy wasn’t even subtle: jump jurisdictions, create clean companies, keep the infrastructure running underneath.

Network monitoring made it obvious. On July 20, security researchers detected massive migration. IP addresses that belonged to Aeza suddenly announced themselves as Hypercore’s. Anyone visiting sites on that network experienced zero downtime. The infrastructure just changed its nameplate.

The new company’s network connected directly to the old sanctioned one. Same servers, new corporate identity.