Bulletproof Host Aeza Group Moves Infrastructure to New Autonomous System

Threat analysts at Silent Push announced the discovery of a major infrastructure shift by the bulletproof hosting provider Aeza Group, which was designated and sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on July 1 for facilitating global cybercrime.

According to Silent Push’s IOFA (Indicators of Future Attack) feed, critical IP ranges previously housed within Aeza’s Autonomous System 210644 are now being announced under a freshly registered entity, AS211522, operated by a company called Hypercore LTD.

This rapid reallocation of address space, detected automatically and in real time, appears designed to evade enforcement of OFAC sanctions and allow continued illicit operations.

Aeza Group, along with two affiliated companies and four individuals, was targeted by OFAC for providing “bulletproof” server infrastructure that enabled ransomware deployments, large-scale data exfiltration, and darknet drug trafficking.

The sanctions froze any U.S.-based assets belonging to Aeza and prohibited U.S. persons from engaging in any transactions with the organization or its associates.

Bulletproof hosting refers to resilient, crime-friendly network services that ignore abuse complaints and actively resist takedowns by law enforcement or security researchers.

Silent Push analysts first tagged Aeza’s Autonomous Systems—AS216246 and AS210644—as bulletproof hosting networks in early 2025, observing a pattern of rapid IP address allocation, minimal transparency around ownership, and frequent abuse reports.

On July 20, their automated IOFA feed signaled that the subnet 83.147.192.0/24, previously pinned to AS210644, now appeared under AS211522.

A closer look at public BGP data confirmed that the same block has begun simultaneous announcements by both AS210644 and AS211522, a strong indicator of intentional migration rather than mere misconfiguration.

“This kind of dual announcement is a clear red flag,” explained Maya Ortiz, Senior Threat Analyst at Silent Push. “It tells us the operators are moving assets behind the scenes, likely to avoid detection and continue supporting ransomware gangs, phishing campaigns, and darknet marketplaces without interruption.”

Silent Push reports that AS211522 was only allocated on July 10, 2025, yet already holds over 2,100 IP addresses—an unusually fast ramp-up that mirrors Aeza’s previous behavior.

Industry experts believe the switch could represent a simple rebranding effort by Aeza Group or a transfer of resources to a closely aligned entity eager to assume the hosting business under a new guise.

“Bulletproof hosts know enforcement is catching up, so they frequently reestablish themselves as new companies or autonomous systems,” noted Jordan Fischer, an independent cybersecurity consultant.

“We urge network operators and security teams to block the new ASN and share any additional indicators with law enforcement.”

Silent Push Threat Analysts have pledged to continue monitoring AS211522 and related infrastructure, inviting tips and corroborating data from the broader security community.

Their IOFA feeds aim to arm defenders with early, actionable visibility—tracking malicious hosting services and other attacker assets before they appear in active campaigns.

As Aeza Group and its successors adapt, this real-time intelligence will be critical to disrupting the infrastructure that underpins tomorrow’s cyber threats.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now