EDP / BPH Providers / ZServers / XHost
ZServers / XHost
Russia-based bulletproof hosting provider // Barnaul, Altai Krai, Russia // Active ~2010 to February 2025
Disrupted

Executive Summary and Provider Overview

Sanctioned Operators — Escalated Module
Alexander Igorevich Mishin
Administrator / Sales Lead (OFAC)
DOB: 18 March 1994, Altai Krai, Russia
Location: Barnaul, Altai Krai (assessed; not arrested)
Handles: triplex560, alex560560, james1789, ZserverS, sasha-brn
BTC (OFAC): 3FfRvC3kSo2SxiQe5e7SSuNdegwgq8iusL
OFAC CYBER3 · UK FCDO · AU DFAT — Feb 11, 2025
Aleksandr Sergeyevich Bolshakov
Owner (AU) / Administrator (UK, OFAC)
DOB: 23 July 1994, Semipalatinsk, Kazakhstan
Location: Barnaul, Altai Krai (assessed; not arrested)
Handles: aaelbas, wtlfnt
Address: 97 Vzletnaya, Apt 170, Barnaul 656067, Russia
OFAC CYBER3 · UK FCDO · AU DFAT — Feb 11, 2025
Disrupted
Operational Status
127
Servers Seized
AS197414
ASN — De-registered
$5.2M+
On-Chain Activity
3
Sanctioning Authorities
6
Individuals Sanctioned
~15 yrs
Years Active

Quick-Reference Attributes

Common NamesZServers; XHost; XHOST Internet Solutions LP; zservers.ru
Node TypeBulletproof Hosting Provider
StatusDisrupted — February 2025
Entity Registration (ZServers)Russia — Barnaul, Altai Krai
Entity Registration (XHOST LP)United Kingdom — Limited Partnership (front company for ZServers)
Infrastructure JurisdictionNetherlands (primary — 127 servers seized Amsterdam); Russia, United States, Bulgaria, Finland (secondary, advertised)
Operator LocationRussia — Barnaul, Altai Krai (Mishin and Bolshakov, per sanctions and OSINT)
Active Period~2010 to February 2025 (approximately 15 years; Intel 471: "more than a dozen years")
Primary ASNAS197414 — De-registered (RIPE WHOIS record empty as of June 2026; last BGP announcement December 4, 2025; registered to XHOST Internet Solutions LP as of March 2025)
IP Ranges87.251.64.0/24 (XHOST); 185.170.144.0/24 (Vault Dweller OU, Estonia) — 0 prefixes announced as of June 2026
Abuse Contactabuse@isxhost.com (shared across both ranges)
Confirmed Upstream ProviderHostkey (Netherlands) — confirmed via September 2024 data breach (Mishin account under real name)
SanctionsOFAC CYBER3; UK FCDO Cyber Sanctions; AU DFAT — all February 11, 2025
Primary ClientsLockBit, Conti, BianLian, Hunters International; Mallox, Dharma, Phobos, Globeimposter; IABs; darknet markets
On-Chain Activity$5.2M+ documented (Chainalysis Reactor); cash-out via Garantex and no-KYC exchanges
Blocklist StatusHistorically listed — Spamhaus SBL/abuse.ch probable; specific entry IDs not publicly enumerated
State Nexus TierTolerated Safe Harbor (Tier 2 of 4)

Overall Assessment

ZServers/XHost operated for approximately 15 years as one of Russia's most prominent bulletproof hosting providers, explicitly advertising crimeware-friendly services on Russian underground forums from at least 2010. Its primary administrator, Alexander Mishin (handle: triplex560), began advertising abuse-tolerant hosting on criminal forums with the zservers.ru domain circa 2010-2011; Intel 471 traces the persona to a forum post as early as January 2006. The provider's model centered on cryptocurrency-only anonymous payments, multi-jurisdiction hosting to resist law enforcement action, and a UK front company (XHOST Internet Solutions LP) to mediate relationships with Western data centers.

Coordinated US/UK/AU sanctions on February 11, 2025 and the Dutch National Police seizure of 127 Amsterdam servers on February 12-13, 2025 effectively dismantled its Western-facing infrastructure. Chainalysis documented at least $5.2 million in on-chain activity, with cash-outs through sanctioned exchange Garantex. Australia's Signals Directorate independently deleted 520 GB of Medibank health data stored on ZServers infrastructure. As of mid-2026, AS197414 remains registered to XHOST, the website was still online as of March 2025, and forum commentary predicted a rebrand — but no confirmed successor brand has been publicly identified.

Lineage and Organizational Heritage

Brands and Entity Structure

Brand / EntityTypeRoleActive WindowConfidence
ZServers / zservers.ruRussia-based hosting companyCore BPH operation; primary entity~2010 to Feb 2025; residual post-takedownConfirmed
XHOST Internet Solutions LPUK Limited PartnershipFront/obfuscation layer for ZServers; holds AS197414; interfaces with EU data centersPre-2025 to sanctions Feb 11, 2025; ASN still registered March 2025Confirmed

UK sanctions explicitly state XHOST was "established to support and obfuscate relevant cyber activity by ZSERVERS, a Russian-based provider of bulletproof hosting." [3]

Predecessor Lineage

Analyst Inference No public evidence ties ZServers to prior-generation BPH brands such as Maxided or Yalishanda. Government designations treat ZServers as a distinct provider. The triplex560 persona's earliest confirmed hosting advertisement dates to August 2010 on xeksec.com; Intel 471 assessed "more than a dozen years" of operation from 2025. Founding circa 2010-2012 is most consistent with available evidence. [1]

Evidence Pillars

Infrastructure Continuity

Confirmed Clear continuity between ZServers and XHOST Internet Solutions LP: shared AS197414, shared abuse contact abuse@isxhost.com, 127 servers in Amsterdam confirmed as ZServers/XHost infrastructure by Dutch police and international LE statements. [1][2][3][5]

Personnel Continuity

Confirmed Mishin and Bolshakov identified as administrators by OFAC, UK, and AU. Intel 471 independently corroborated Mishin's identity via social media, leaked database records (SDEK, Pikabu), WHMCS account, GitHub, and Skype IDs — all converging on Mishin Alexander Igorevich in November 2024. Forum IPs traced to Barnaul/Biysk, Altai Territory. [1]

Financial Links

Confirmed OFAC listed one BTC address for Mishin and three digital currency addresses for ZServers. Chainalysis confirmed $5.2M+ on-chain activity with direct exposure to LockBit, Mallox, Dharma, Phobos, Globeimposter, IABs, and darknet markets. Cash-out via Garantex confirmed. [6][7]

Operator Profiles

2.1 Alexander Igorevich Mishin

Full NameMishin, Alexander Igorevich (Мишин Александр Игоревич)
Date / Place of Birth18 March 1994, Altai Krai, Russia
AddressUl. Yubileynaya, D. 32, Barnaul, Altai Krai, Russia
Assessed LocationRussia (Barnaul / Altai Krai) — assessed; not arrested or extradited
Handles / Aliasestriplex560, alex560560, james1789, ZserverS, sasha-brn, PIPPIN James, KLICHKO Ivan P.
RoleAdministrator; personally managed advertising on criminal forums and cryptocurrency payments
Forum Historyzloy.bz from Jan 2006; xeksec.com Aug 2010 (verbatim ad); Antichat, Exploit, XSS, proxy-base.com, hackersoft.ru (ongoing to Feb 2025)
BTC Address (OFAC)3FfRvC3kSo2SxiQe5e7SSuNdegwgq8iusL
SanctionsOFAC CYBER3 (Feb 11, 2025); UK FCDO Cyber Sanctions (Feb 11, 2025); AU DFAT (Feb 11, 2025)
Legal StatusSanctioned; at large in Russia; no public arrest or criminal indictment confirmed

2.2 Aleksandr Sergeyevich Bolshakov

Full NameBolshakov, Aleksandr Sergeyevich (Большаков Александр Сергеевич)
Date / Place of Birth23 July 1994, Semipalatinsk, Kazakhstan
Address97 Vzletnaya, Apt 170, Barnaul 656067, Russia
Assessed LocationRussia (Barnaul) — assessed; not arrested
Handles / Aliasesaaelbas, wtlfnt
RoleOwner per AU designation; implicated in 2023 IP reassignment episode (LockBit client reprotection)
SanctionsOFAC CYBER3; UK FCDO; AU DFAT — all February 11, 2025
Legal StatusSanctioned; at large in Russia; no public arrest

2.3 Additional Sanctioned Individuals (UK / AU Only)

UK FCDO designated six individuals total; AU DFAT designated five. Four beyond Mishin and Bolshakov:

NameSanctioning AuthoritiesNotes
Ilya SidorovUK FCDO, AU DFATEmployee; specific role not publicly detailed
Dmitriy BolshakovUK FCDO, AU DFATEmployee; relation to Aleksandr Bolshakov unclear from public sources
Igor OdintsovUK FCDO, AU DFATEmployee; specific role not publicly detailed
Vladimir AnanevUK FCDO onlyEmployee; specific role not publicly detailed

Credible Full roles for these four individuals are an intelligence gap. Complete UK and AU sanctions notices may contain additional detail not indexed in public sources.

Disputed Assessments

No vendor disputes identified regarding ZServers' core identity, the XHOST front relationship, or Mishin/Bolshakov attribution. Successor infrastructure remains unconfirmed.

Operational and Business Model

Service Model

ZServers operated as a full-service bulletproof hosting provider: leasing dedicated servers, VPS instances, and IP address blocks to cybercriminal clients on an anonymous, cryptocurrency-only basis. Services explicitly included C2 hosting, ransomware operational portals, botnet C2, malware distribution, and phishing/fraud infrastructure. The provider explicitly guaranteed protection from law enforcement and abuse reporters, and advertised that criminals were welcome.

Verbatim Advertising Copy

triplex560 — xeksec.com, August 9, 2010 (earliest confirmed ZServers ad, verbatim)
"We offer a hosting that is loyal to abuse. + Acceptance of payments via WebMoney. + Adequate pricing policy. + Individual approach to each client. + High UpTime. + Allowed: Drop projects, Exploits, Trojans, Botnets, Phishing, Satellites, adware, tds, etc. + Prohibited: Spam, fraud, pornography."
Dr.Samuil (ransomware affiliate) — Exploit forum, January 18, 2020 (client review, verbatim)
"Отличный и отзывчивый хостер, четкая работа в срок и хороший аптайм. Мои позитивные рекомендации за данный сервис." [Trans: "Excellent and responsive hosting, precise work on time and good uptime. My positive recommendations for this service."]
Dutch National Police characterization — February 2025
"The company stood out because it advertised that online criminals were welcome to exploit criminal activities from its servers."
SecurityWeek summarizing ZServers marketing — February 16, 2025
"Zservers (XHost) offered its services to cybercriminals, guaranteeing that their identity would remain protected against law enforcement and offering them the possibility to pay anonymously through cryptocurrencies."

Onboarding and Vetting

Open signup with high anonymity: cryptocurrency payment, minimal or no KYC, remote provisioning. Forum-based advertising on Exploit, XSS, and Antichat constitutes implicit vetting — clientele self-selects from established underground forums. No invite-only or referral requirements confirmed. Full onboarding workflow details are an intelligence gap.

Pricing

No confirmed public price list. Homepage described servers in five countries with support, equipment, and custom configuration, implying tiered geographic and hardware offerings. Monthly subscription model inferred from BPH standard practice. Early 2010 ads listed WebMoney as a payment method; later operations shifted to cryptocurrency-only. Specific package names and prices are an intelligence gap.

Reseller Chain and Front Company

XHOST Internet Solutions LP (UK) functioned as ZServers' obfuscation and interface layer with Western infrastructure — a legal-entity wrapper used to contract with European data centers and handle formal correspondence. UK sanctions: XHOST was "established to support and obfuscate relevant cyber activity by ZSERVERS." [3]

The September 2024 data breach confirmed Mishin held a Hostkey (Netherlands) reseller account under his real name, confirming Hostkey as at least one upstream provider from which ZServers resold capacity. No additional named sub-reseller brands documented. This is an intelligence gap.

Abuse-Handling and LE Posture

Explicitly classified by OFAC as a provider that "ignores or evades law enforcement requests" and provided "specialized servers designed to resist law enforcement actions." [4][6]

A 2023 exception demonstrates selective, deceptive responsiveness: following a complaint from a Lebanese company about a ZServers-hosted LockBit IP, Mishin instructed Bolshakov to change the IP address, then falsely told the company the original IP was cut off — while secretly reassigning a new IP to the LockBit client. This preserves upstream ISP relationships without actually cooperating. [1][4]

OPSEC Posture

Anonymous cryptocurrency payments; pseudonymous forum advertising; UK front company for EU contracts; multi-jurisdiction infrastructure. Client communication likely via ticket panels (WHMCS-style), Jabber/XMPP, and Telegram. Specific panel domains and Telegram handles are an intelligence gap. OPSEC failed significantly in September 2024 (data breach exposing 9,500 client records and Mishin's upstream accounts).

Technical Capabilities and Infrastructure Footprint

ASN Registration and IP Ranges

ASNRegistered NameIP RangeAbuse ContactStatus (March 2025)
AS197414XHOST Internet Solutions LP (registered to XHOST as of March 2025; RIPE WHOIS record now empty)87.251.64.0/24abuse@isxhost.comDe-registered
AS197414XHOST Internet Solutions LP (via Vault Dweller OU, Estonia)185.170.144.0/24abuse@isxhost.comLast announced Dec 4, 2025

Confirmed RIPE RIS and WHOIS queried June 2026: AS197414 WHOIS record is empty (no aut-num object exists); 0 of 327 RIS peers see any announcement; 0 prefixes, 0 IPs advertised. The ASN has been de-registered. Last observed BGP announcement: December 4, 2025, prefix 185.170.144.0/24 — approximately 10 months after sanctions. As of March 2025 the ASN was still registered to XHOST Internet Solutions LP (Intel 471 WHOIS verification); it was de-registered sometime between March and December 2025. First seen active: May 28, 2011. Full historical RIPE/ARIN allocations and additional ASNs are an intelligence gap. [1]

IP Space Reallocation — RIPE Verified June 2026

Both previously XHOST-associated IP ranges are actively routed as of June 5, 2026 by entities unrelated to AS197414:

87.251.64.0/24 is announced by AS200730, holder: ISAEV ISAEV Igor (324/327 RIS peers). AS200730 WHOIS returns empty records — same pattern observed with AS197414 post-de-registration. Relationship to ZServers operators unconfirmed. Analyst Inference — warrants monitoring as potential reconstitution signal or routine RIPE reallocation.

185.170.144.0/24 is announced by AS50053, holder: VDSKA-AS Anton Levin (324/327 RIS peers). No assessed connection to ZServers operators.

Physical Infrastructure

Primary EU infrastructure concentrated at Paul van Vlissingenstraat colocation facility, Amsterdam, Netherlands — 127 servers seized here by Dutch National Police on February 12-13, 2025. Additional servers advertised in Russia, United States, Bulgaria, and Finland, suggesting leased rack or dedicated server arrangements at facilities in those countries. Whether seizures occurred outside the Netherlands is not confirmed.

Upstream Transit Provider Chain

The September 2024 data breach confirmed Mishin held a reseller account at Hostkey (Netherlands-based dedicated server provider) registered under his real name — establishing Hostkey as at least one upstream provider from which ZServers leased and resold capacity. [1]

No documented de-peering events prior to February 2025 appear in public reporting. The coordinated action went directly to sanctions and physical seizure rather than relying on upstream de-peering. Additional upstream ISPs providing transit to the Amsterdam facility are not documented in open sources. This is an intelligence gap requiring BGP historical data or network operator community records. No upstream de-peering events documented.

Resilience Features

Multi-jurisdiction advertising (five countries) as classic resilience pattern. OFAC: "specialized servers designed to resist law enforcement actions." Leased capacity from multiple upstream providers (Hostkey confirmed; others unconfirmed). IP rotation demonstrated in the 2023 LockBit episode. Fast-flux or anycast operations not documented in open sources.

Hosted Activity Types

Activity TypeEvidence BasisConfidence
Ransomware C2 and operational infrastructure (LockBit)OFAC, UK FCDO, AU DFAT, Chainalysis, TRM Labs, Reuters, The Record — LockBit affiliates explicitly cited using ZServers for chat servers and C2Confirmed
Ransomware infrastructure (Conti)Dutch National Police press statements; SecurityWeek; SecurityAffairsConfirmed
Data exfiltration / extortion site hostingASD found Medibank data (520GB) on ZServers; Intel 471: Hunters International ransom note and exfil file list found in September 2024 ZServers data breachConfirmed
Botnet C2Dutch National Police; Bleeping Computer; Cybernews; multiple press sourcesConfirmed
Malware distribution (loaders, stealers, generic)Dutch police; SecurityOnline; SecurityAffairs; multiple outletsConfirmed
Ransomware infrastructure (BianLian, Hunters International)Intel 471; AU DFAT Minister statement (BianLian); Infopercept (both)Credible
Phishing / fraud infrastructure2010 ad explicitly listed phishing as allowed; LegalData; LE characterizationsCredible
DDoS-for-hireNo direct references in open sourcesAnalyst Inference

Blocklist Standing

Source / ListStatusNotes
Spamhaus SBLHistorically Listed (Probable)Multiple sources characterize ZServers as BPH used for malware, botnets, and ransomware — consistent with SBL criteria. Specific SBL entry IDs, first-listing dates, and delisting events not documented in open sources. No public dispute filings by ZServers.
Spamhaus CBL / XBLHistorically Listed (Probable)IP ranges associated with documented botnet C2. Specific entries not publicly enumerated.
Spamhaus DROP / eDROPProbableAS197414 and IP ranges consistent with DROP criteria (cybercrime-leased netblocks). Specific DROP list entries not confirmed in open sources.
abuse.ch Feodo TrackerHistorically Listed (Probable)Documented ransomware C2 and botnet hosting makes Feodo Tracker entries for ZServers IPs likely. Not specifically cited in open-source reporting.
abuse.ch URLhausHistorically Listed (Probable)Malware distribution function suggests URLhaus entries for hosted payload URLs. Not publicly enumerated.
abuse.ch MalwareBazaarUnknownNo direct references to MalwareBazaar entries in available reporting.
Firehol Level 1/2ProbableAs an aggregator, Firehol almost certainly included ZServers-associated IPs given documented activity. Not specifically confirmed in reporting.

Summary: ZServers/XHost IP space is widely characterized as malicious infrastructure associated with ransomware, botnets, and malware distribution. Historical listings on Spamhaus SBL and abuse.ch are highly probable given the documented activity types, but specific entry IDs, first-listing dates, and delisting events are not enumerated in available open-source reporting. No evidence of ZServers challenging or disputing blocklist entries; operational posture was systematic non-cooperation.

Known Weaknesses Exploited

Concentration of 127 servers in a single Amsterdam facility created a physical single point of failure exploited by Dutch police in February 2025. The XHOST UK front created a sanctionable legal hook in a Western jurisdiction. Multi-jurisdiction hosting provided resilience against single-country action but not against coordinated three-country sanctions plus a physical seizure in 48 hours. Mishin's Hostkey account under his real name, revealed in the September 2024 breach, exposed upstream relationships and contributed to OPSEC failure.

Financial Infrastructure

Payment Methods

ZServers accepted payments predominantly via cryptocurrency for anonymous client signups. Dutch police and multiple outlets confirm "cybercriminals could purchase services anonymously, by paying with cryptocurrency." The 2010 ad copy listed WebMoney as an accepted method, suggesting early e-money use before full cryptocurrency adoption. No card payments or fiat bank transfers referenced in post-2020 reporting.

Wallet Clusters and Designated Addresses

AddressCurrencyDesignationSource
3FfRvC3kSo2SxiQe5e7SSuNdegwgq8iusLBTC (XBT)Mishin (individual)OFAC SDN, Feb 11, 2025
3 additional addresses (full addresses not publicly indexed)Digital currencyZServers entity designationOFAC SDN, Feb 11, 2025; confirmed by TRM Labs, Chainalysis

On-Chain Activity: Three-Phase Laundering Model

Phase 1 — Acquisition (Service Fees Inbound)

ZServers-linked wallets received hosting fee payments from ransomware affiliates and other criminal clients. Chainalysis confirmed inbound payments from LockBit affiliates, Mallox, Cryptolocker, Dharma, Phobos, and Globeimposter, as well as IABs and darknet markets. Documented on-chain activity: at least $5.2 million. [6][7]

Phase 2 — Layering

Funds moved through intermediary wallets. Chainalysis documented movement to mixing services and high-risk exchanges. TRM Labs noted chain-hopping behavior consistent with standard ransomware ecosystem layering. Specific mixing services or cross-chain bridges not named in public reporting. [6][7]

Phase 3 — Extraction (Cash-Out)

Chainalysis confirmed cash-out at: (1) Garantex — Russia-based exchange sanctioned by OFAC in 2022 for AML non-compliance; (2) merchant services providers; (3) no-KYC exchanges. The Garantex link places ZServers within the broader sanctioned Russian financial infrastructure cluster. [6][7]

Garantex Subsequently Seized — March 6, 2025

Garantex was taken down on March 6, 2025 — 23 days after ZServers sanctions — by US Secret Service, German BKA, and Finnish law enforcement. Domain seized; $26M in cryptocurrency frozen; two administrators indicted (Aleksej Besciokov and Aleksandr Mira Serda). Successor exchange Grinex created immediately post-seizure; OFAC designated Grinex; Grinex suspended operations April 16, 2026. The Garantex cash-out flows documented by Chainalysis occurred prior to the March 2025 seizure and represent historical activity, not a current operational route.

Sanctions and Risk Designations

AuthorityProgramDateEntities DesignatedBasis
OFAC (US)CYBER3 / SDNFeb 11, 2025ZServers; Mishin; Bolshakov; 4 crypto addressesMaterially assisted LockBit ransomware operations
UK FCDOCyber Sanctions RegimeFeb 11, 2025ZServers; XHOST LP; 6 individuals"Key component of Russia's cybercrime supply chain"; LockBit attacks against UK organizations including hospitals
AU DFATAutonomous Cyber SanctionsFeb 11, 2025ZServers; 5 individualsBPH for BianLian; hosted Medibank stolen data (Oct 2022); first Australian sanctions against a hosting entity

Client Profile and Hosted Operations

Crimeware Verticals by Evidence Tier

CategoryNamed ClientsEvidence BasisClassification
Ransomware RaaS (LockBit)LockBit 2.0 and 3.0 affiliatesOFAC, UK FCDO, AU DFAT, Chainalysis, TRM Labs, Reuters, The RecordConfirmed
Ransomware RaaS (Conti)ContiDutch National Police press statements; SecurityWeek; SecurityAffairsConfirmed
BotnetsNot namedDutch National Police; Bleeping Computer; Cybernews; multiple outletsConfirmed
Malware distributionNot namedDutch police; SecurityOnline; SecurityAffairsConfirmed
Ransomware (BianLian)BianLianIntel 471; AU DFAT Minister statement (Medibank context); InfoperceptCredible
Ransomware (Hunters International)Hunters InternationalIntel 471 data breach analysis (ransom note in ZServers data); InfoperceptCredible
Multi-family ransomware (Chainalysis cluster)Mallox, Cryptolocker, Dharma, Phobos, GlobeimposterChainalysis Reactor on-chain payment tracing — direct payments to ZServers designated wallets Single SourceCredible
Initial Access BrokersNot namedChainalysis on-chain exposure data Single SourceCredible
Darknet marketsNot namedChainalysis on-chain exposure data Single SourceCredible
Phishing / fraudNot named2010 ad explicitly listed phishing as allowed; LegalData; LE characterizationsCredible

Client Geography

Infrastructure concentrated in the Netherlands with secondary nodes in Russia, US, Bulgaria, and Finland. Clients target organizations globally. No CIS exclusion clause documented — ZServers appears to have operated without geographic restrictions on victims. UK FCDO cited attacks against UK hospitals as a direct use case. AU DFAT cited Medibank Private (October 2022, Australia's largest healthcare breach).

Notable Hosted Cases

Medibank Private — October 2022 (Confirmed)

ASD assessed ZServers infrastructure was used to store approximately 520 GB of data stolen in the October 2022 Medibank Private extortion attack. Attacker Aleksandr Ermakov (sanctioned January 2024, arrested by Russia) was attributed to the REvil ecosystem. ASD conducted an offensive cyber operation deleting the stolen data from ZServers' servers. ASD Director-General publicly cited this as part of ASD deleting up to 250 TB of stolen data from adversary systems globally. [1]

LockBit Operational Infrastructure (Confirmed)

ZServers leased IP addresses and servers to LockBit affiliates for C2, victim communication portals, and operational infrastructure. OFAC explicitly designated ZServers for "materially assisting LockBit ransomware operations." UK FCDO cited LockBit affiliates using ZServers to launch attacks against UK organizations. [4][3]

State Nexus Assessment

Assessment: Tier 2 — Tolerated Safe Harbor

Tier 2 Assessment Basis

The Russian state is assessed to be aware of ZServers' operations and to have refrained from enforcement or prosecution of its operators, despite 15 years of operation and extensive international notoriety. This constitutes tolerated safe harbor. No public evidence supports active operational cooperation, tasking, or direct protection beyond passive non-enforcement.

Entity headquartered in Barnaul, Russia; primary operators are Russian nationals in Barnaul; primary victims are Western organizations. Despite coordinated US/UK/AU sanctions and a high-profile Dutch takedown in February 2025, no Russian criminal proceedings against ZServers, Mishin, or Bolshakov appear in open sources. The US State Department explicitly criticized Russia in its February 2025 sanctions announcement, writing that Russia "continues to offer safe harbor for cybercriminals where groups are free to launch and support ransomware attacks against the United States and its allies and partners." [1]

Negative Evidence (Tier 3/4 Not Supported)

Analyst Inference The possibility that classified IC holdings contain Tier 3/4 evidence cannot be excluded but is not supported by available open-source reporting.

Jurisdictional Separation

Entity Registration
Russia (ZServers)
Barnaul, Altai Krai, Russia
United Kingdom (XHOST LP)
Registered as Limited Partnership
Infrastructure Hosting
Netherlands (Primary)
Paul van Vlissingenstraat, Amsterdam — 127 servers seized
Secondary (advertised): Russia, US, Bulgaria, Finland
Operator Location
Russia (Assessed)
Mishin: Barnaul, Altai Krai (sanctions and OSINT)
Bolshakov: Barnaul, Altai Krai (sanctions)

This separation enabled Western authorities to act aggressively against infrastructure (Dutch seizure) and finances (trilateral sanctions) while primary operators remained in Russia outside arrest range. This is a deliberate and common BPH pattern.

Law Enforcement and Regulatory Response

Arrests, Indictments, Criminal Charges

As of mid-2026, no US DOJ indictment, UK CPS charges, or Dutch criminal charges against ZServers operators are confirmed in open sources. Mishin and Bolshakov are sanctioned but at large in Russia. Intel 471 notes that sealed indictments may exist — US prosecutors frequently seal grand jury indictments until arrest — making international travel risky for sanctioned actors. No public confirmation of criminal charges. [1]

Infrastructure Seizures

Dutch National Police — Amsterdam, February 12-13, 2025

Dutch National Police, coordinating with international partners, seized and took offline 127 servers associated with ZServers/XHost at the Paul van Vlissingenstraat colocation facility in Amsterdam. The operation followed over a year of investigation and occurred within 24-48 hours of the joint sanctions announcement on February 11, 2025. This action effectively dismantled ZServers/XHost's major Western-facing infrastructure. [2][5]

ASD Offensive Cyber Action (Undated)

Credible Australia's Signals Directorate (ASD) deleted approximately 520 GB of data stolen from Medibank Private in the October 2022 attack from ZServers infrastructure. ASD Director-General Abigail Bradshaw publicly described this and stated ASD has deleted up to 250 TB of stolen data from adversary systems globally. Exact timing of the ZServers-specific action not publicly stated. [1]

Sanctions Actions

AuthorityDateActionLegal Basis
OFAC (US)Feb 11, 2025Added ZServers, Mishin, Bolshakov, and 4 crypto addresses to SDN listEO 13694 / CYBER3; materially assisted LockBit ransomware
UK FCDOFeb 11, 2025Asset freeze: ZServers, XHOST Internet Solutions LP, and 6 individualsUK Cyber Sanctions Regime; LockBit attacks against UK organizations including hospitals
AU DFATFeb 11, 2025Designated ZServers and 5 individuals; first Australian sanctions against a hosting entity; first Australian cyber sanctions related to network infrastructureAustralian autonomous cyber sanctions framework; BianLian hosting; Medibank stolen data hosting

Post-Disruption Client Migration

Credible Vendor commentary (Intel 471, Arete, TRM Labs) confirms the sanctions and takedown forced LockBit affiliates and other clients to seek alternative infrastructure. Significant substitution capacity exists in the broader BPH ecosystem. [1][7]

Analyst Inference One Exploit forum actor predicted ZServers would rebrand; another characterized it as "a typical resource seller" that could be taken down by a higher-level data center at any time. Named successor providers and documented migration paths are an intelligence gap.

In July 2025, OFAC sanctioned Aeza Group (St. Petersburg, Russia) — a separate BPH provider with partial client overlap (BianLian) — confirming the ecosystem continued operating via alternative providers after ZServers' disruption. No public connection between Aeza Group and ZServers/XHost has been established.

Connected Groups and Ecosystem Relationships

Each entity carries two independent confidence assessments: Tier 1 (infrastructure relationship) and Tier 2 (operational relationship). These are analytically distinct claims requiring separate evidence bases and are never collapsed into a single label.

LockBit
Ransomware-as-a-Service // Russia-linked // Disrupted February 2024 and ongoing
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:Confirmed
Tier 2 — Operational:Credible
Tier 1: OFAC, UK FCDO, AU DFAT, Chainalysis, TRM Labs, Reuters, The Record, and multiple additional sources explicitly confirm LockBit affiliates leased ZServers IPs and servers for victim communication portals and C2. On-chain payments from LockBit affiliates to ZServers-designated wallets confirmed by Chainalysis. OFAC designated ZServers specifically for "materially assisting LockBit ransomware operations."

Tier 2: OFAC confirms Mishin marketed ZServers to ransomware actors "with the understanding that they would use those services in their cybercriminal activities." The 2023 IP reassignment episode demonstrates active facilitation of the LockBit client against an abuse complainant. However, no public evidence establishes joint operational planning beyond hosting and financial services.
OFAC — Corroborates UK FCDO — Corroborates AU DFAT — Corroborates Chainalysis — Corroborates TRM Labs — Corroborates Intel 471 — Corroborates
Conti
Ransomware-as-a-Service // Russia-linked // Disbanded May 2022
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:Confirmed
Tier 2 — Operational:Analyst Inference
Tier 1: Dutch National Police press statements and multiple media reports (SecurityWeek, SecurityAffairs) explicitly list Conti among cybercrime groups using ZServers/XHost infrastructure.

Tier 2: No public evidence ZServers operators were involved in Conti operational planning beyond providing hosting services.
Dutch National Police — Corroborates SecurityWeek — Corroborates SecurityAffairs — Corroborates
BianLian
Ransomware-as-a-Service // Russia-linked // Active as of mid-2026
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:Credible
Tier 2 — Operational:Analyst Inference
Tier 1: Intel 471 confirms ZServers "provided hosting services for ransomware groups such as LockBit, BianLian, and Hunters International." AU DFAT Minister also associated ZServers with BianLian in sanctions context. Infopercept cites BianLian independently. Intel 471 and AU DFAT provide corroboration; Infopercept is a third source.

Tier 2: No evidence of operational coordination beyond hosting.
Intel 471 — Corroborates AU DFAT — Corroborates Infopercept — Corroborates
Hunters International
Ransomware-as-a-Service // Active (claimed shutdown late 2024; rebrand signals 2025)
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:CredibleSingle Source
Tier 2 — Operational:Analyst Inference
Tier 1: Intel 471 found a Hunters International ransom note and exfiltrated file list from a 2024 European company attack in the September 2024 ZServers data breach, implying data staging or storage on ZServers infrastructure. Infopercept cites Hunters International independently. Both sources derive from the same post-breach period; wider independent corroboration not confirmed. Single Source Concern

Tier 2: No evidence of operational coordination beyond hosting relationship.
Intel 471 — Primary Source Infopercept — Corroborates
Mallox, Dharma, Phobos, Globeimposter, Cryptolocker affiliates
Ransomware groups / affiliate operators — multi-family
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:CredibleSingle Source
Tier 2 — Operational:Analyst Inference
Tier 1: Chainalysis Reactor confirmed direct on-chain payment flows from affiliates of these groups to ZServers-designated wallet addresses, inferred as service fees for BPH infrastructure. Single-source — Chainalysis only; no corroborating vendor has published independent confirmation per family.

Tier 2: On-chain payment establishes financial relationship only, not operational coordination.
Chainalysis — Single Source
Initial Access Brokers and Darknet Markets
Criminal service economy actors (not individually named in public reporting)
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:CredibleSingle Source
Tier 2 — Operational:Analyst Inference
Tier 1: Chainalysis confirmed on-chain exposure to IAB and darknet market wallets sending payments to ZServers. Specific actors not named in public reporting. Single-source.

Tier 2: Financial connection only.
Chainalysis — Single Source

Trajectory Assessment

Historical Market Position

ZServers/XHost occupied a significant structural position in the Russia/CIS-linked ransomware ecosystem for approximately 15 years, serving as a preferred BPH provider for high-end ransomware operations. OFAC and UK FCDO descriptions as "a key component of Russia's cybercrime supply chain" and "the launchpad for crippling ransomware attacks" reflect its prominence by 2023-2024. The September 2024 data breach offering 9,500 client records for sale indicates a substantial historical client base, though active clients at seizure time would be a subset.

Disruption History and Timeline

January 2006
triplex560 persona first appears on Russian-language criminal forum zloy.bz. Identity later confirmed as Mishin by Intel 471.
August 9, 2010
Earliest confirmed verbatim hosting advertisement by triplex560 on xeksec.com: "We offer a hosting that is loyal to abuse." zservers.ru domain appears on forums ~3 months later.
October 2022
Medibank Private breach: ZServers infrastructure used to store 520GB of stolen Australian health data. ASD later deletes the data via offensive cyber operation.
2023
Lebanese company complaint re: ZServers-hosted LockBit-linked IP. Mishin instructs Bolshakov to change the IP but secretly assigns a new one to the LockBit client — demonstrating active client protection against abuse complaints.
July 27, 2024
triplex560 posts on Exploit disclosing a malicious attack on ZServers infrastructure — likely by a BPH competitor.
September 2024
Major data leak: ~9,500 ZServers client records (IPs, email addresses, passwords, credit cards) offered for sale online. Leak included Mishin's Hostkey account details and a Hunters International ransom note.
November 2024
Intel 471 independently concludes Mishin Alexander Igorevich is the triplex560 persona, based on OSINT and breach analysis.
February 11, 2025
US (OFAC), UK (FCDO), and Australia (DFAT) jointly sanction ZServers, XHOST Internet Solutions LP, and 6 individuals. 4 cryptocurrency addresses designated.
February 12-13, 2025
Dutch National Police seize 127 ZServers/XHost servers, Amsterdam. Major Western-facing infrastructure dismantled. triplex560 posts on Exploit: new orders paused, existing customers can still request service.
Early March 2025
ZServers website remains online. AS197414 still registered to XHOST Internet Solutions LP. Exploit forum actor predicts ZServers will rebrand. Website not taking new orders.
December 4, 2025
AS197414 last BGP announcement: prefix 185.170.144.0/24, origin AS197414. This is the final observed routing event. The ASN subsequently goes dark.
June 2026 (RIPE verified)
RIPE WHOIS query returns empty records for AS197414 — no aut-num object exists. ASN de-registered. 0 of 327 RIS peers observe any announcement. 0 prefixes, 0 IPs. First seen active May 28, 2011; last seen December 4, 2025 — approximately 14.5 years of operation.

Trajectory Direction

Disrupted — Reconstitution Risk: Elevated. The February 2025 actions destroyed Western-hosted infrastructure and imposed financial/legal constraints. However, the brand is not definitively defunct: website online as of March 2025, ASN still registered, forum commentary anticipated rebrand. Given the pattern of Russia-based BPH providers reconstituting under new names (see: Aeza Group, sanctioned July 2025, operating concurrently and separately), the probability of Mishin or associates reconstituting a BPH operation under a new brand in Russian or permissive-jurisdiction hosting is assessed as elevated, though unconfirmed as of mid-2026.

Intelligence Gaps

1. AS200730 identity and connection to ZServers operators

87.251.64.0/24 (formerly XHOST) is now announced by AS200730, holder "ISAEV ISAEV Igor" (RIPE as-overview, June 2026). AS200730 WHOIS returns empty records — same pattern as de-registered AS197414. No confirmed connection to Mishin, Bolshakov, or other named operators. Close with: RIPE WHOIS history for AS200730; abuse reporting on that /24; vendor infrastructure tracking. Escalate if activity on that range matches ZServers historical abuse patterns.

2. Confirmed reconstitution brand or new ASN registrations

Whether ZServers reconstituted post-February 2025 under a new brand, legal entity, or new ASN beyond the documented IP space reallocation. Close with: longitudinal C2/infrastructure tracking; criminal forum monitoring for new BPH ads by triplex560-linked personas.

2. Full ASN/IP inventory beyond the two documented ranges

Whether ZServers held additional ASNs or IP allocations. Close with: RIPE/ARIN historical data; Spamhaus SBL records correlated to entity; vendor infrastructure mapping.

3. Named additional upstream ISPs

Upstream transit providers beyond confirmed Hostkey. Close with: BGP historical analysis; network operator community posts; additional breach material.

4. Spamhaus SBL/abuse.ch specific entry IDs and timelines

First-listing dates, delisting events, specific SBL entry numbers. Close with: direct Spamhaus/abuse.ch dataset queries against documented IP ranges; vendor correlation.

5. Full September 2024 breach client dataset

9,500 client records not publicly enumerated — specific named clients and their criminal operations. Close with: law enforcement analysis of the breach; vendor processing of the leaked dataset.

6. Roles of four additional sanctioned individuals

Technical responsibilities of Sidorov, Dmitriy Bolshakov, Odintsov, and Ananev. Close with: full UK FCDO and AU DFAT sanctions notices; law enforcement evidence.

7. Post-disruption client migration mapping

Which specific BPH providers absorbed LockBit and other clients post-February 2025. Close with: longitudinal C2/leak-site infrastructure tracking; vendor reports on successor infrastructure.

8. Sealed criminal indictments

Whether US DOJ or allied prosecutors filed sealed charges against operators. Close with: public disclosure upon arrest; non-sealed docket records.

9. Russian state nexus beyond tolerance

Any direct tasking, protection, or coordination with Russian security services. Close with: court documents, leaked communications, or declassified intelligence.

10. Specific IoCs (IPs/domains) for named campaigns

Concrete ZServers-hosted IPs and domains used in documented LockBit, Conti, or BianLian campaigns. Close with: law enforcement technical annexes; vendor IoC feeds with explicit ZServers attribution.

Post-Disruption Developments (February 2025 – June 2026)

March 6, 2025
Garantex seized. US Secret Service, German BKA, and Finnish law enforcement take down Garantex — ZServers' documented primary cash-out exchange — 23 days after ZServers sanctions. Domain seized; approximately $26M in cryptocurrency frozen; administrators Aleksej Besciokov and Aleksandr Mira Serda indicted. Successor exchange Grinex created immediately.
March 11, 2025
Intel 471 publishes deep-dive profile confirming AS197414 registration status, Hostkey upstream relationship, full six-individual sanctions list, Medibank/ASD connection, September 2024 data breach details, and triplex560 identity corroboration. As of publication, ZServers website still online and AS197414 still registered to XHOST Internet Solutions LP. [1]
July 2, 2025
OFAC sanctions Aeza Group (separate Russia-based BPH provider, St. Petersburg) for hosting ransomware (BianLian, RedLine, Meduza, Lumma), the BlackSprut darknet drug market, and the Doppelganger Russian influence operation. Aeza CEO Penzev and co-owners Bozoyan and Knyazev designated. Four Aeza employees had been arrested by Russian authorities in April 2025 on drug trafficking charges. No assessed connection to ZServers/XHost. Confirms BPH ecosystem continued operating via alternative providers post-ZServers disruption.
April 16, 2026
Grinex suspends operations. Garantex successor exchange Grinex — created immediately after the March 2025 seizure to absorb Garantex customer deposits — suspends operations following OFAC designation. Closes the Garantex cash-out pathway entirely.
June 2026 (RIPE verified)
AS197414 de-registered: RIPE WHOIS record empty (no aut-num object); 0 RIS peers observing; last BGP announcement December 4, 2025. Both formerly XHOST-associated IP ranges now announced by different entities: 87.251.64.0/24 by AS200730 (holder: ISAEV ISAEV Igor, WHOIS empty); 185.170.144.0/24 by AS50053 (VDSKA-AS, Anton Levin). No confirmed ZServers rebrand or successor entity. ZServers remains on OFAC SDN, UK FCDO, and AU DFAT sanctions lists.

Sources and Evidence Base

[1]Intel 471, "Zservers: Bulletproof hosting for online crime," March 11, 2025. intel471.com/blog/zservers-bulletproof-hosting-for-crime
[2]US Department of the Treasury, "United States, Australia, and the United Kingdom Jointly Sanction Key Infrastructure that Enables Ransomware Attacks," February 11, 2025. home.treasury.gov/news/press-releases/sb0018
[3]LexisNexis UK / UK FCDO, "FCDO announces new sanctions targeting Russian cybercrime network Zservers," February 11, 2025. lexisnexis.co.uk
[4]The Record (Recorded Future News), "Russian bulletproof hosting service Zservers sanctioned by US for LockBit coordination," February 11, 2025. therecord.media
[5]Bleeping Computer, "Dutch Police seizes 127 XHost servers, dismantles bulletproof hoster," February 13, 2025. bleepingcomputer.com
[6]Chainalysis, "OFAC Sanctions Zservers for Facilitating Ransomware Attacks," February 11, 2025. chainalysis.com/blog/ofac-sanctions-zservers
[7]TRM Labs, "US, UK and Australia Target Zservers and LockBit Affiliates," February 2025. trmlabs.com
[8]OFAC, "Cyber-related Designations," February 11, 2025. ofac.treasury.gov/recent-actions/20250211
[9]SecurityWeek, "127 Servers of Bulletproof Hosting Service Zservers Seized by Dutch Police," February 16, 2025. securityweek.com
[10]SecurityAffairs, "Dutch Police shut down bulletproof hosting provider Zservers and seized 127 servers," February 2025. securityaffairs.com
[11]Cybernews, "Dutch police dismantle bulletproof hosting provider, seize 127 servers," February 2025. cybernews.com
[12]Arete IR, "Sanctions Against Zservers," February 2025. areteir.com
[13]UK FCDO / Lursoft, "XHOST Internet Solutions LP — Sanctions Notice," February 11, 2025. sanctions.lursoft.lv
[14]Reuters, "US, UK, Australia target Russia-based Zservers over LockBit ransomware attacks," February 11, 2025. reuters.com
[15]The Hacker News, "U.S. Sanctions Russian Bulletproof Hosting Provider [Aeza Group] for Supporting Cybercriminals Behind Ransomware," July 2, 2025. thehackernews.com
[16]Infopercept, "ZServers — Bulletproof Hosting for Crime." infopercept.com