Bulletproof Hosting Provider Aeza Group Shifting Their Infrastructure to New Autonomous System

Following U.S. Treasury sanctions imposed on July 1, 2025, the notorious bulletproof hosting provider Aeza Group has rapidly migrated its infrastructure to a new autonomous system in an apparent attempt to evade enforcement measures. 

Cybersecurity researchers at Silent Push detected this significant infrastructure shift on July 20, 2025, when IP ranges began migrating from Aeza’s AS210644 to AS211522, operated by Hypercore LTD. 

Key Takeaways
1. Sanctioned Aeza Group migrated from AS210644 to new AS211522 to evade OFAC penalties.
2. 2,100+ IPs transferred in days.
3. Infrastructure shift aims to maintain bulletproof hosting for cybercriminals.

The newly allocated autonomous system, established just ten days before the migration, already contains over 2,100 IP addresses, indicating an unusually rapid operational ramp-up that security experts believe represents a coordinated effort to maintain cybercriminal hosting services under new infrastructure.

Aeza Group’s Rapid Infrastructure Migration

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Aeza Group, two affiliated companies, and four individuals for providing bulletproof hosting services that enabled global cybercriminal activity, including ransomware operations, data theft, and darknet drug trafficking. 

Bulletproof hosting (BPH) refers to resilient server infrastructure specifically designed to operate outside the reach of law enforcement agencies. 

The sanctions resulted in the freezing of Aeza Group’s U.S.-based assets and prohibited American entities from conducting transactions with the designated parties. 

This enforcement action targeted AS216246 and AS210644, autonomous systems that Silent Push threat analysts had previously identified as bulletproof hosting providers in early 2025.

On July 20, 2025, Silent Push’s IOFA (Indicators of Future Attack) feed automatically detected the infrastructure migration when IP ranges from Aeza’s AS210644 began transitioning to AS211522. 

This autonomous system number was allocated on July 10, 2025, to Hypercore LTD, according to Silent Push’s Total View platform data. 

A specific example of this migration involves IP address 83.147.192.5, which was previously associated with AS210644 but was automatically reclassified to reflect its new association with AS211522. BGP data from bgp.tools confirms that the 83.147.192.0/24 subnet has been announced by both ASNs, supporting this attribution assessment. 

The migration pattern suggests either a rebranding effort by Aeza Group or a handoff to a closely aligned cybercriminal entity.

The speed of AS211522’s expansion has drawn attention from cybersecurity analysts, with the autonomous system accumulating over 2,100 IP addresses within days of the detected migration. 

This rapid ramp-up represents an atypical pattern not usually observed in newly allocated ASNs. 

Silent Push’s continuous infrastructure monitoring capabilities enabled the detection of this emerging BPH provider before its widespread deployment in active cybercriminal campaigns. 

The company’s IOFA feeds are designed to identify attacker infrastructure before it becomes operationalized, providing security teams with early visibility into threats. 

Silent Push threat analysts continue investigating AS211522 and are seeking additional intelligence regarding suspicious bulletproof hosting infrastructure connected to the Aeza Group migration.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now