.png)
2 weeks ago
1
Internet service providers and hosting companies enable cybercrime and cyber operations. Why don’t sanctions stop them?
The infrastructure that underpins cyber operations rarely makes headlines. While public attention focuses on malware strains, threat actors, and high-profile incidents, the internet service providers and hosting companies enabling these operations persist quietly in the background. While not often perceived as malicious, these entities can be key enablers of cybercriminal and state-sponsored cyber operations.
Two such providers, Stark Industries Solutions and Aeza Group, have recently come under international scrutiny, including being sanctioned for supporting Russian state-linked cyber operations and disinformation campaigns. Despite this, both companies appear to have retained control of key resources, reallocated IP infrastructure, and continued operations with minimal interruption. Instead of causing disruption, these sanctions have revealed how persistent and resilient threat-enabling infrastructure has become. These cases show how existing mechanisms of internet governance and enforcement may not be equipped to meaningfully constrain these threat activity enablers.
Sanctions fall short
Stark Industries Solutions, a UK-registered hosting provider, was sanctioned by the EU on 20 May 2025 for enabling Russian state-sponsored cyber operations. However, the company anticipated the designation, in part due to leaks to media. Weeks in advance, it migrated key IP resources to a separate legal entity. Shortly after the sanctions were imposed, Stark Industries rebranded as ‘THE.Hosting’ under a new Dutch organisation, WorkTitans B.V., rendering the EU’s action largely ineffective.
Aeza, a Russian provider known for hosting ransomware, infostealers, and supporting infrastructure for Russian influence operations, demonstrated similar resilience. Within 24 hours of being sanctioned by the US Office of Foreign Assets Control on 1 July 2025, Aeza Group had reallocated its US IP infrastructure to a newly established Serbian organisation, Smart Digital Ideas DOO, ensuring its American assets remained insulated from sanctions. Three days later, Aeza continued to shift its IP infrastructure, registering a new UK organization, Hypercore Ltd, which was later used to acquire a new autonomous system number (ASN), a unique identifier given to internet service providers or other institutions that manage the assigning of IP addresses, and facilitate the transfer of additional IP resources from Aeza. On 19 September 2025, the UK sanctioned Aeza International, the domestic branch of Aeza Group, citing its involvement in destabilising Ukraine by providing internet services to Russian disinformation campaigns
In both cases, the rebranding and transfer of network resources were conducted within the policy framework of the Amsterdam-based Réseaux IP Européens Network Coordination Centre (RIPE NCC), the body responsible for allocating IP address space and ASNs across Europe, the Middle East, and parts of Central Asia. This allowed both providers to preserve their infrastructure and continue operations without any meaningful disruption.
A systemic challenge
The resilience of providers like Stark Industries and Aeza in the face of sanctions reveals a more systemic issue: the regulatory framework governing the internet’s foundational infrastructure can be exploited. Both entities are local internet registries (LIRs) under the RIPE NCC, which allocates them blocks of IP addresses that they can distribute to clients.
As LIRs, Stark Industries and Aeza are granted autonomy to directly manage their allocated IP space, assign prefixes to customers, and control their network’s global routing. As seen, however, this operational freedom is easily abused. Under this model, malicious actors can sidestep restrictions by shifting their resources to new, unsanctioned corporate entities, because RIPE NCC’s own policy does not include revoking resources when an entity is sanctioned.
RIPE’s approach to sanctions, guided by the Dutch Ministry of Foreign Affairs, is to ‘freeze’ an entity’s resources, preventing transfers or new allocations, though RIPE is not legally required to de-register assets. As such, RIPE does not reclaim ASNs, IP address blocks, or membership unless explicitly compelled by a Dutch court and is still permitted to receive payments from sanctioned parties. This enforcement posture has created a permissive environment for sanctioned providers.
RIPE NCC’s Standard Service Agreement (SSA) does allow for more severe actions, such as permanent deregistering of internet number resources, in response to actions such as supplying incorrect or falsified information or non-payment. Yet this enforcement model has produced a striking imbalance. A provider sanctioned by the European Union faces only a freeze of its assets, while a member that submits incorrect documentation may be fully deregistered. The reality is that as long as the paperwork is in order and fees are paid, the use of RIPE resources to support state-sponsored cyber operations does not result in the loss of infrastructure.
RIPE has publicly stated that ‘internet resources should be kept separate from political disputes’ and has committed to exploring a blanket exemption for internet number resources from EU sanctions regulation. While this approach aims to protect access to key IP resources, it also allows the likes of Stark Industries and Aeza to persist.
Exploiting legal gaps
Sanctions are only part of the challenge. Infrastructure providers like Stark Industries and Aeza often retain control over their operations by using newly registered, un-sanctioned organisations to reallocate RIPE resources. This process, registering a corporate entity, assigning IP space, and updating records, is procedurally simple for LIRs and unfolds entirely within the bounds of RIPE NCC’s policy framework.
Both Stark Industries and Aeza have relied on jurisdictions such as the Netherlands, Serbia, and, in particular, the UK. The UK’s company formation framework has made it a longstanding hub for corporate obfuscation. While reforms are planned, including mandatory identity verification for directors and persons of significant control starting in November 2025, it is unclear how effective these measures will be, considering the usage of formation agents (companies that register new companies for other businesses).
Once a provider creates a new legal entity, typically via a formation agent and a virtual office address, it can assign IP prefixes and autonomous systems from its existing allocation to that company. These updates are logged in RIPE’s database but are not monitored unless they breach RIPE’s membership terms.
This ability to act within the bounds of regional internet registry (RIR) policy while simultaneously circumventing measures such as sanctions allows these actors to continue working. Because they operate within the boundaries of internet governance, they fall outside the reach of international law enforcement mechanisms.
Cross-border solutions
Tackling this challenge requires cross-border collaboration between governments, internet governance bodies, and law enforcement. RIRs such as RIPE aren’t obligated or required to act on geopolitical threats, but the fact remains that they are ultimately responsible for allocating and revoking key resources. Without their engagement, even the most comprehensive sanctions regimes may struggle to have a material impact on these key enablers.
To disrupt this kind of infrastructure in a meaningful way, governments will need to do more than impose sanctions. They’ll have to align efforts across borders and develop sharper regulatory tools, as law enforcement efforts can only go so far in isolation. Bodies such as RIPE must seriously consider how to build more transparency and accountability into their operations without undermining the neutrality of the internet. Public pressure must extend beyond specific cyber threats or actors to the systems that enable them.
There is no single fix for the infrastructure enabling malicious operations. However, the current strategy of relying on disjointed regional sanctions has shown clear limitations. The resilience of Stark Industries and Aeza is not an isolated problem. It reflects broader gaps in how the internet is policed, governed, and resourced. A systemic shift is needed if bad actors are to be stopped from taking advantage of the infrastructure that underpins cyber operations.
