11 April 2025
In July 2024 Qurium released its second detailed report documenting the infrastructure associated to the Russian disinformation network dubbed “Doppelganger“. The report documented how Doppelganger operated in Europe in close association with cyber-criminal activities and affiliate advertisement networks and the key role that hosting and infrastructure provider “Aeza” played. Aeza and several volatile entities registered to operate bullet proof hosting providers served as the perfect cover channel to operate info stealers, malware campaigns and disinformation campaigns.
When you thought things couldn’t get any wilder, on 3 April 2025 we learned that several members of the Aeza Group including two of their founders – Yuri Bozoyan and Arseny Penzev – were arrested for providing technical infrastructure of a darknet shop store known as BlackSprut.
According to Russian newspapers sources including Fontanka, TASS and The Insider – the Meshchansky District Court Moscow accused the group of creating a “criminal community” (OPS) and other offenses in connection with illegal banking activities (money laundering) as part of the OPS (part 2 of article 172 and part 1 of article 210 of the Criminal Code of the Russian Federation).
The published reports pointed out that Aeza provided technical infrastructure for the shop infrastructure for the past two years including protecting it from Denial of Service attacks. The detention took place after an undercover Moscow police officer purchased 4,19g of mephedrone to a pawnbroker connected to the marketplace.
According to Fontanka, employees of the Investigative Committee (IC) of Russia, together with thirty employees of the Ministry of Internal Affairs of St. Petersburg, conducted searches in the office of the Aeza Group at Zolnaya Street (former PMC Wagner Centre).
The people detained include:
- Arseniy Penzev / Арсений Александрович Пензев (Founder)
- Yuriy Bozoyan / Бозоян Юрий Меружанович (Founder)
- Maxim Orel / Максим Александрович Орлов. (B)
- Tatyana Zubova / Татьяна Викторовна Зубова (B)
- Georgy Lavrukhin / Григорий Александрович Лаврухин
- Vladimir Gasta / Владимир Викторович Гаст
The MskHost leak – Exit Scams
The relationship of Arseniy and Yuriy – two of the founders of Aeza – can be traced back to 2019 when they worked together in the hosting company MskHost.
The origins of Aeza are likely connected to the “hack” of MskHost in September 2021. Back in that time the Aeza Group (INN: 7813654490) was named “ЕНОТКЛАУД” (Enotcloud) – a name that was used for a few months and then changed to “ПАРТНЕР” in November 2021. One year later (November 2022) “ПАРТНЕР” changed name to “АЕЗА ГРУПП”.
The collaboration of Aeza with 4sever.su responsible of the commercialization of stolen credentials can be traced to the origin of one of the autonomous systems operated by Aeza: AS210352.
Just after the MskHost was hacked, the AS210352 was created by FourS-mnt (4Services.network) run by Marinko Evgeni Valentinovich (4server{.}su) responsible with Igor Dekhtyarchuk “Floraby” of the Bayacc marketplace. The autonomous system changed to Partner LLC in December 2022 and finally to AEZA Group LLC in March 2024.
While there were always rumors that MskHost was shutdown, the company kept operating as Cloud Solutions LLC [1] [2]. In July 2024, Cloud Solutions LLC (ООО “Облачные Решения) was again revamped with members of the MskHost team including Mikhail Belov (Kazn) and Hayrov Alexander Igorevich (Хайров Александр Игоревич)
Arseniy and Yuriy have a history of involvement in projects that end in rug pulls or exit scams. MskHost, Sunhost, and Lethost are just a few examples of hosting ventures that disappear when challenges surface. It’s hard to believe they remained unnoticed by authorities.
BlackSprut front domains
BlackSprut” (BlackSprut, Блэкспрут) is a well-known Russian-language darknet marketplace (DNM). It has gained attention as one of the successors to Hydra, the massive and now-defunct DNM that was taken down in 2022 by German authorities.
BlackSprut (Это будущее!) market place provided access to a large variety of drugs and run as a Tor hidden service (.onion). To facilitate the access, dozen of domain names bridged users and merchants into the website.
The first record we have of BlackSprut in Aeza is the domain bs2w{.}in. hosted in 185.106.93.93 in July 2023. The prefix was announced by Galaxy-as Shelter LLC, RU where two bullet proof hosting providers zerohost/areasoft could be found. In the same network, command and control infrastructure of info stealers like Aurora were also hosted. In the same network early front domains of Doppelganger were operating in July 2022.
During our research we discovered several domains names used that served as entry point to the BlackSprut market.
bs2best[.]at.
bs2c[.]io.
bs2clear[.]biz.
bs2clear[.]me.
bs2clear[.]name.
bs2site[.]at.
bs2site[.]cc.
bs2tor[.]shop.
bs2web10[.]shop.
bs2web3[.]shop.
bs2web6[.]shop.
bs2web9[.]shop.
bs2web[.]at.
bs2w[.]in.
bs2w[.]name.
bs2w[.]xyz.
The front-end domains run in the following IP Addresses:
138[.]124.29.222
176[.]124.220.185
176[.]124.222.0
185[.]106.93.93 (Shelter)
193[.]233.233.233 waf.aeza.net
77[.]91.76.0
79[.]137.192.2
79[.]137.192.228
85[.]192.56.1
89[.]169.53.164
94[.]228.170.0
Most interestingly was to discover that the prefixes used for the hosting, that are now of the largest pool of IP space announced by Aeza, were used with satellite ASNs in the past.
- AS216319 SUNHOST-AS CHROMIS IT LTD, GB
- AS216319 Chromis It Ltd
- AS210352 server4-as Partner LLC, RU
- AS211409 Galaxy-as Shelter LLC, RU
- AS215826 PARTNER-AS AEZA GROUP LLC, RU
For example the domains:
- bs2best{.}at. run at 77.91.76.0. from January to March 2024.
- bs2w{.}in run at 79.137.192.2 from July to September 2023.
Both prefixes where used by Lethost, a bulletproof hosting provider that also run one of the Doppelganger cloaking infrastructures known as Kher.
A small example of the kind of malicious activities also run in the same network prefixes where BlackSprut front servers were found:
176.124.220{.}0/24 Redline
176.124.222{.}0/24 Redline
185.106.93{.}0/24 Aurora,SystemBC, AsyncRat, Doppelganger [Shelter]
193.233.233{.}0/24 AsyncRat, Doppelganger
77.91.76{.}0/24 StealC, Doppelganger [Sunhost]
79.137.192{.}0/24 Amadey, [Lethost]
94.228.170{.}0/24 StealC.
Response from Aeza and infrastructure status
The official response of Aeza in a statement on its VKontakte social network page.:
In the near future, Aeza Group LLC will complete the procedure for appointing a new general director, which will be the only significant change that does not affect the work or services of our Russian company”
According to a Telegram post, the third owner of Aeza – Igor Knyazev – is taking over the role as CEO of Aeza.
Aeza Group and Aeza International announce several hundreds of network prefixes. After the announcement of the detention of two Aeza founders, only a dozen of network prefixes from Aeza International was returned to its original owner AS39493 RU-KSTV – CJSC Kolomna-Sviaz TV. The change took place on 10 April 2025. There is no indication that any major changes in operations and infrastructure has taken place.