On February 11th, 2025, the US Treasury Department, along with the UK and Australian governments, sanctioned the bulletproof hosting provider Zservers, their registered company name XHOST Internet Solutions LP, and six administrators for providing support to ransomware groups –particularly LockBit ransomware-as-a-service (RaaS) affiliates. Additionally, on February 12th, law enforcement in the Netherlands seized 127 servers used by Zservers/XHOST following a yearlong investigation of the hosting provider.
What is Bulletproof Hosting?
Bulletproof hosting (BPH) providers are hosting services that offer anonymity from law enforcement. They are part of the cybercrime-as-a-service ecosystem and sell access to servers and infrastructure for operating and conducting cyberattacks and other criminal activity. BPHs market themselves on dark web forums and use techniques in their networks and architecture that make it difficult for law enforcement to identify and track users paying for their services.
Analyst Comments
To assess these potential sanctions issues accurately, Arete will leverage Autonomous System Numbers (ASNs) associated with the hosting provider and the known cryptocurrency wallets the administrators use. Arete tracks ASNs and hosting providers used by threat actors as part of our robust attribution, tracking, and due diligence processes for compliance with the Department of the Treasury’s Office of Foreign Asset Controls (OFAC) and Anti-Money Laundering (AML) frameworks. As ASN and routing assignments change, Arete will continuously monitor the Zserver/XHOST infrastructure to capture its use by threat actors. Despite its widespread usage, XHOST infrastructure is not often the primary infrastructure leveraged by threat actors and was observed in only 2% of Arete ransomware and extortion engagements to date. Further, the law enforcement seizures of the Zservers and XHOST servers will render most of the currently registered infrastructure unusable by threat actors, further limiting the impact of potential sanctions on current and future engagements.
Sources
New UK sanctions target Russian cybercrime network
Russian bulletproof hosting service Zservers sanctioned by US for LockBit coordination
Politie Amsterdam ontmantelt digitaal crimineel netwerk; 127 servers offline gehaald
“Bulletproof” hosting providers – Cracks in the armour of cybercriminal infrastructure
Related Resources
![]()
Suspected North Korean Actors Pull off the Largest Crypto Heist in History
Bybit suffered a massive $1.4B Ethereum theft in 2025, linked to North Korean hackers. Learn how the attack happened and what it means for crypto security.
Read more![]()
AI Deep Dive Part 1: The History of AI
Explore the history of AI, from Alan Turing’s pioneering work to modern innovations like ChatGPT. Learn about key milestones, AI booms, winters, and the future of artificial intelligence in this deep dive into AI’s evolution.
Read more![]()
XWorm RAT Builder Targets Script Kiddies
A trojanized XWorm RAT builder targets new hackers, infecting over 18,000 devices worldwide and stealing credentials via Telegram, YouTube, and GitHub.
Read more
