The United States, Australia, and the United Kingdom have imposed sanctions on the hosting provider Zservers, accusing it of supplying infrastructure for cyberattacks orchestrated by the LockBit group. The sanctions also extend to two administrators of the service, who, according to authorities, managed cryptocurrency transactions and facilitated the group’s illicit activities.
The U.S. Department of the Treasury reported that in 2022, Canadian law enforcement discovered a virtual machine operating through an IP address subleased from Zservers on a laptop seized from a LockBit affiliate. This device was running a command-and-control center for malware. That same year, a hacker acquired IP addresses from Zservers to coordinate LockBit’s operations. In 2023, the company once again provided infrastructure to one of the group’s affiliates.
Australian law enforcement emphasized that so-called “bulletproof” hosting providers are, in reality, incapable of shielding cybercriminals, as their infrastructure remains vulnerable to targeted actions by authorities. Such services play a pivotal role in attacks on critical infrastructure worldwide.
The sanctions also target XHOST Internet Solutions LP, which authorities describe as a “front company” for Zservers. Additionally, restrictions have been imposed on four employees. Any transactions between U.S., U.K., or Australian citizens and entities with those listed under the sanctions are now strictly prohibited. Their assets will be frozen, and violators will face fines.
These sanctions are part of an ongoing crackdown on LockBit. Previously, the U.S. State Department announced a reward of up to $10 million for information leading to the identification of the group’s leader, Dmitry Khoroshev, and up to $15 million for details regarding other key members and administrators. In recent years, authorities have also arrested several individuals linked to the group.
Since 2019, LockBit has targeted thousands of organizations across the globe, including Bank of America, Boeing, the U.K.’s Royal Mail, and Italy’s tax authority. Law enforcement estimates that the group has extorted up to $1 billion in ransom payments. In February 2024, as part of Operation Cronos, LockBit’s infrastructure was dismantled, with 34 servers and over 2,500 decryption keys falling into the hands of authorities—enabling the creation of a free tool to restore encrypted data.
