On Feb. 11, 2025, Australia, the U.K. and U.S. levied sanctions against several Russian threat actors and Zservers, a hosting provider based in Barnaul, Russia. Authorities in the Netherlands seized 127 servers linked to Zservers, taking them off of the internet. The action marks another international effort that targeted cybercrime infrastructure and diminished the capabilities of threat actors who reside in Russia and cannot be arrested.
Zservers is a bulletproof hosting (BPH) provider that actively advertised on known cybercriminal forums. BPH is a term for providers that cater to online criminals by refusing to respond to abuse requests for activities such as spamming, malware hosting, command-and-control (C2) servers and others. BPH is critical infrastructure for criminals because internet connectivity is mandatory for carrying out malicious schemes. While it would seem easy to blocklist BPHs, the reality is much more difficult. BPH providers frequently change their names and company registrations, making it more difficult for upstream providers they may partner with to understand their intent.
Zservers has operated in the open for more than a dozen years, facilitating connectivity for numerous ransomware affiliates and brands including LockBit, BianLian, Hunters International and other fraudsters. In announcing the sanctions, the U.S. State Department specifically criticized Russia, writing that the country “continues to offer safe harbor for cybercriminals where groups are free to launch and support ransomware attacks against the United States and its allies and partners.” This post will explore Zservers’ operators and how the sanctions may or may not impact its operations.
Sanctions levied
Australia, the U.K. and the U.S. jointly imposed sanctions on Zservers, an associated front company called XHOST Internet Solutions LP and several Russian threat actors. According to Australia’s Minister for Foreign Affairs, it marked the first time the country levied sanctions against an entity and the first time it levied sanctions related to network infrastructure use for cybercrime. The U.K. Foreign, Commonwealth and Development Office sanctioned six individuals, Australia’s Department of Foreign Affairs and Trade designated five and the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two. The sanctions freeze assets related to Zservers and its personnel, prohibit transactions with the group and in the case of Australia, ban individuals from traveling there.
Those sanctioned were:
- Aleksandr Sergeyevich Bolshakov (employee, sanctioned by Australia, U.K. and U.S.)
- Personas: aaelbas, wtlfnt
- Aleksandr Igorevich Mishin (employee, sanctioned by Australia, U.K. and U.S.)
- Personas: triplex560, alex560560, james1789, Ivan P. Klichko, James Pippen, sasha-brn
- Ilya Sidorov (employee, sanctioned by Australia and U.K.)
- Dmitriy Bolshakov (employee, sanctioned by Australia and U.K.)
- Igor Odintsov (employee, sanctioned by Australia and U.K.)
- Vladimir Ananev (employee, sanctioned by U.K.)
Bolshakov is listed by Australia as Zservers’ owner, while the U.S. lists Mishin as the administrator. The U.S. accused Mishin of marketing Zservers to ransomware actors including LockBit and other groups “with the understanding that they would use those services in their cybercriminal activities.”
The U.S. further alleged Zservers received a complaint in 2023 from a Lebanese company alleging that a machine hosted on its network was involved in a ransomware attack related to LockBit. The U.S. alleges Mishin instructed Bolshakov to change the IP address of the malicious user and then told the Lebanese company the original IP address was cut off. However, Zservers allegedly assigned a new IP address to the LockBit user.
Sanctions are an option if individuals cannot be arrested. Although no criminal charges were announced by the three nations, it is possible those charges exist. U.S. federal prosecutors frequently convene grand juries to secure indictments but keep those documents under seal until a suspect is apprehended. This makes international travel risky, as it is possible they could be arrested on preexisting charges in an extradition-friendly country, which has occurred before, particularly with Russian or Eastern European individuals.
After the sanctions were announced, the actor triplex560 posted a message on the Exploit forum saying new orders would not be accepted but current customers could still request service.
Who is triplex560?
Mishin is identified in the sanctions by several personas he allegedly maintained on a variety of cybercrime forums, including triplex560. Intel 471’s intelligence collection returns many results for this persona. The nickname appears as far back as Jan. 20, 2006, on the Russian-language zloy.bz forum, which no longer exists, when Mishin would have been just 11 years old. The same nickname appears on xeksec.com, another defunct Russian-language cybercriminal forum, Aug. 9, 2010, related to an offer for hosting. It reads:
We offer a hosting that is loyal to abuse.
+ Acceptance of payments via WebMoney.
+ Adequate pricing policy.
+ Individual approach to each client.
+ High UpTime.
+ Allowed: Drop projects, Exploits, Trojans, Botnets, Phishing, Satellites, adware, tds, etc.
+ Prohibited: Spam, fraud, pornography.
In our work, we use the ISP Manager website control panel. Thanks to this panel, you can manage your hosting account: manage all types of domains, FTP accounts, mailboxes and everything related to this.
The posting doesn’t mention the name of the service or Zservers. But three months later, triplex560 mentions the domain zservers.ru on zloy.bz. From then on, the triplex560 persona along with a new one, ZserverS, regularly posted advertisements for the hosting service on a range of forums including Antichat, Exploit, XSS, proxy-base.com and hackersoft.ru.
The service appeared to be well received by threat actors. On Jan. 18, 2020, the actor Dr.Samuil, a ransomware affiliate for several groups, provided a positive review on the Exploit forum:
Отличный и отзывчивый хостер, четкая работа в срок и хороший аптайм. Мои позитивные рекомендации за данный сервис. Успехов сервису и так держать!
Excellent and responsive hosting, precise work on time and good uptime. My positive recommendations for this service. Good luck to the service and keep it up!
Zservers had no unresolved issues or complaints from other threat actors.
Ransomware connections
Ransomware relies on BPH infrastructure. In addition to encrypting data, ransomware attackers often steal the data beforehand and then leverage it to create a “double extortion” threat. If an organization doesn’t pay to decrypt their data, they may pay to prevent it from being publicly published on data leak sites or removed from them. This has proved to be an effective threat, even though ransomware groups may not follow through on their promise to delete the data.
These data leak sites are typically set up as hidden services using Tor, a service that can anonymize the location of where a website is hosted. Attackers typically use BPH providers to host data leaks sites, which is then overlaid by Tor, offering a higher degree of security.
Zservers has had numerous documented connections with ransomware groups and other actors offering cybercrime services. Cryptocurrency analysis firm Chainalysis linked payments to Zservers from ransomware groups and affiliates such as LockBit, Mallox, Cryptolocker, Dharma, Phobos and Globeimposter. Zservers also received payments from initial access brokers (IABs) and darknet markets. The U.K. alleged LockBit affiliates used Zservers to launch attacks against organizations in that nation. Australia contends Zservers was also used by the BianLian ransomware group. Additionally, Chainalysis tracked how Zservers cashed out its cryptocurrency. It documented Zservers sending cryptocurrency to Garantex, a Russia-based exchange sanctioned by the U.S. in 2022 for not implementing anti-money laundering controls, along with other exchanges that do not follow know-your-customer (KYC) checks.
Zservers had a role in one of the most significant cybersecurity incidents in Australia. The Australian government says Zservers was used to host data stolen in an extortion attack in October 2022 against one of Australia’s largest health insurers. Australia attributed the attack to a Russian man, Aleksandr Ermakov, who appeared to have links to the REvil ransomware group. Ermakov was sanctioned by Australia, the U.S. and U.K. in January 2024, and he was arrested by Russia. According to one report, the Australian Signals Directorate (ASD), which is the nation’s signals intelligence agency, figured out the stolen health care data was hosted on Zservers infrastructure. ASD Director-General Abigail Bradshaw told the publication the agency has been studying bulletproof hosters. Its analysts created profiles of Zservers’ administrators, learning their social habits and routines. When a group of them went out for the evening, ASD deleted 520 GB of the stolen health care data.
It is unclear when ASD undertook this action, but Australia has been aggressive in running offensive cyber operations intended to protect itself. Bradshaw also told the publication ASD has deleted as much as 250 TB of data from adversary systems that has been stolen from Australia, the U.S., U.K. and other victims worldwide during intrusions.
Data leaks, doxing
Despite the lack of complaints and disputes from its customers, Zservers suffered a malicious attack in 2024. The actor triplex560 posted an update on the Exploit forum July 27, 2024:
Such an attack could have been carried out or funded by a rival in the BPH business, but it was unclear who initiated it.
Then, a damaging data leak occurred around September 2024. The leak was posted on an online archival service and revealed details about triplex560’s alleged real-life identity, internal infrastructure, clients and payment information. The data included client email addresses, hosts, IP addresses and usernames.
There also were multiple screenshots of triplex560’s accounts in administrative panels of several legitimate hosting providers. The actor purportedly ordered and resold these servers to clients. One screenshot depicts Zservers’ alleged account with the Netherlands-based hosting service provider Hostkey, which was registered under the Alexandr Mishin name.
Another screenshot in the data dump depicts a ransom note from members of the Hunters International ransomware group and a list of files apparently exfiltrated from a network of a European company attacked by members of the group in 2024. The implication was that the group or affiliates used Zservers for data exfiltration.
This passport allegedly belongs to triplex560 and shows the first name Александр (Eng. Aleksandr) and 1994 as the birth year. Other fields are redacted, but the length of the surname and patronymic apparently fits the full name Mishin Alexander Igorevich.
Open source research into social media profiles as well as publicly leaked databases yielded numerous links to Mishin. For example, numerous email addresses that used the sash-brn prefix used similar logins and identical passwords. One of those email addresses was used for a VKontakte profile, which was registered to Мишин Александр (Eng. Mishin Aleksandr) and was associated with the triplex560 Skype ID.
Another email address allegedly used by Mishin turned up in many different records, including in a public leak of the Russian SDEK delivery service; a Pikabu profile, which is a Russian social media platform; a WHMCS web hosting platform account, which shared the same phone number as a Gmail address; a Zservers support Skype ID; and a GitHub account.
Our research also revealed triplex560 accessed hacker forums and public services using IP addresses that multiple internet service providers (ISPs) operated and most were associated with Barnaul or Biysk in the Altai territory of Russia.
The above information led us to conclude in November 2024 that Mishin Alexandr Igorevich is behind the triplex560 online persona.
Conclusion
The Zservers website remains online. The service is not taking on new customers at this time but there are indications it may in the future. According to public WHOIS records, the autonomous system number (ASN) AS197414 is still registered by the XHOST Internet Solutions LP front company. One of those IP ranges, 87.251.64.0/24, is registered on XHOST and the second, 185.170.144.0/24, is registered on the Estonia-based provider Vault Dweller OU. Both use the same abuse contact email [email protected].
The personas triplex560 and ZserverS have not been active on cybercrime forums since the sanctions were announced. However, other threat actors responded to the sanctions. On the Exploit forum, one predicted Zservers would rebrand itself as a new player in the hosting market. This would not be surprising, as it lends numerous advantages. BPH providers have honed an internet version of the shell game that makes it difficult to permanently boot them. Changing the name of the company, for example, may make it easier for a BPH service to make agreements with other network providers for connectivity once the latter has figured out there is abusive activity. To obfuscate their activity further, BPH providers also buy new IP address ranges and connect with new ASNs. They also buy services from other nefarious BPH providers, using fast-flux hosting and routing malicious traffic through ever-shifting proxy and gateway servers in other regions.
BPH services are highly sought-after by those in the cybercriminal underground, so we would expect any slack in the market would be taken up by other providers. Threat actors expect this as well. A different threat actor on Exploit offered another observation: Zservers wasn’t bulletproof at all, but rather a “typical resource seller” that could be “taken down at any time by a higher-level data center at the request of law enforcement agencies.”
From a defensive perspective, targeting and blocking BPH providers can be one of the most effective defense mechanisms from a cost-benefit perspective that can often halt malicious activity early in the kill chain. Intel 471 tracks these IP ranges and ASNs. The key is operationalizing real-time threat intelligence about BPH services when there are changes. Blocking IP ranges associated with known or probable malicious behavior protects systems from being inadvertently infected. This also has another effect: it raises the cost for adversaries. If threat actors buying BPH services are not seeing a return on their investment, the BPH providers must expend more resources to change up infrastructure to provide services that are more resilient. This is a way to counter the cybercrime-as-a-service ecosystem as well as aid in defense.
For more information about BPH providers tracked by Intel 471, please contact us.
