Disclaimer: This post is a personal opinion piece based on publicly available reports, sanctions documents and investigative journalism. It may contain my interpretations and conclusions.
image
Pick a name: Aéza sounds catchy. You register Aéza, a St. Petersburg-based company. Aéza.net is still available, great. You develop a snappy landing page with big claims, beautiful graphics, and attractive pricing. Now you need a customer portal that follows the same design language and UX. You present yourself as a modern cloud solution, basically DigitalOcean or Vultr, but cheaper. According to your own marketing, you manage around 40,000 servers and control an IP space estimated at 2.4 million euros.
customers
Well, now that you have a neat name and website to sell your servers, you need some customers. But regular customers are already satisfied with their overpriced, underspec’d GoDaddy domain-included shared hosting… So who do you target? Cybercriminals: ransomware groups, botnet operators, anything that requires bulletproof hosting.
With you as their bulletproof infrastructure provider (which means you won’t comply with any law enforcement requests), these groups are free to commit any illicit activities they may desire. You host the infostealers Meduza, Lumma, and RedLine, as well as providing servers to the ransomware-as-a-service group BianLian. Your services are also used for attacks targeting U.S. defense and technology companies. (source)
Your customers also include the Russian government for the Doppelgänger operation, which was a disinformation campaign aimed at spreading pro-Kremlin propaganda across fake European news sites and social media accounts. This operation deserves a deep dive on its own. It was a really intricate, proven attempt by the Russian government to shift public opinion in Western European democracies toward its agenda. It was done using mass disinformation campaigns, among other insane strategies. You can read all about it (in German) here.
Don’t get confused though. You present yourself as an apolitical service provider. Willing to provide infrastructure to anyone who is willing to pay. This is proven by the fact that during a period in summer 2024, when the Russian government throttled access to YouTube within Russia, you provided VPN services to users wanting to bypass that limitation. When Roskomnadzor sends you something, you simply forward it to your customer, and that’s that.
go international
With this sort of clientele, you have to expect some pushback from law enforcement and governments. It’s a lot easier for Western governments to cut you off if you’re just some Russian company, especially since Russia’s invasion of Ukraine. The easiest fix: Go international. You get Marat Timurov (KZ) and Paul Reeves (AU) to found Aéza International Ltd. in the United Kingdom (source). This UK entity is used to lease IP addresses for the business.
heat
On April 1st, 2025, the Russian government connected BlackSprut, a gigantic Russian darknet drug and weapons marketplace, to Aéza’s infrastructure. Management said that this infrastructure was being provided by a reseller of their servers, not themselves, and that they had terminated their contract because of many Spamhaus abuse reports. This explanation didn’t seem to suffice, as Aéza’s St. Petersburg offices were raided and top management, including co-founders Arseny Penzev and Yuri Bozoyan, were arrested. It’s obvious you don’t check for this type of abuse on your infra, nor do you care.
pivot
So when the United States government inevitably sanctioned your company, multiple crypto wallets, and your entire ecosystem on July 1st, 2025, you immediately migrated your infrastructure to a new AS (autonomous system). This is clear evasion, and it worked. You start a rebranding strategy to completely remove any connection between Aéza and your new infrastructure.
Your old AS210644 is now frozen. You move all of your IP ranges to the new AS211522, which is assigned to another new UK company called “Hypercore LTD,” registered by Patryk Drozda (PL) just two days after the sanctions hit (source). This company was later also identified as a “front” or “shell” company of Aéza, a sanctioned entity, and was thus quickly sanctioned as well. But the move still worked. It bought you time and kept your customers “happy.”
conclusion
Despite all of this, you can still go on Aéza.net right now, buy a server, and use it. How can this even be possible? Well, Aéza was only sanctioned by the United States of America, the United Kingdom, and Australia. The European Union has not sanctioned Aéza in any way, which means they are free to host their infrastructure and companies right here.
Furthermore, Aéza and companies like it are being enabled by other, more reputable European (and specifically German) networking service providers by providing connectivity. This is not only problematic because people are using those types of servers for DDoS attacks, drug marketplaces, or other low-level illicit activity. The real problem arises from the fact that these servers were provably being used by a malicious government to undermine and destabilize European democracy.
P.S. Here’s a fun fact:
Aéza’s office shared an address with Yevgeny Prigozhin’s Wagner Group headquarters. There is, however, no known link between Aéza and the troll factory.