Uncovering ALVIVA HOLDING: Links to Russian Shell Companies and Cybercrime

This is an Investigative Report on how the most malicious hosting provider is linked to a Shell Company registered in Seychelles 🇸🇨. This article will not cover Ransomware Analysis, but will focus purely on the incriminating evidence emanating from this case study as we unravel the further Investigation.

EXECUTIVE SUMMARY

Beginning the investigation with Clop Ransomware, we navigate to the shady practices of a popular hosting provider “ALVIVA HOLDING”, which is a de-facto choice of cyber criminals to build their malicious business Empire. 

But these criminals are less-bothered about the service which they rely on is already and indirectly connected to a banned/black-listed organization (ALPHA CONSULTING) which has a Geo-Political ties with the large sharks in the crime industry that includes money laundering, drug trafficking etc as per Pandora Leaks. 

This is a detailed investigation on connecting the dots between a Shell Company which is involved in the running of a cyber crime mafia that wreaks havoc on global organizations in the form of Ransomware, DDoS, Infostealer attacks, Bulletproof Hosting etc.

ANCHOR POINT — CLOP RANSOMWARE

This investigation breakthrough was made when the Clop Ransomware announced its new email addresses to communicate with its victims.

NOTE: Clop (aka Cl0p) is a notable Ransomware Group that made its presence since March 2020, infecting 1000+ victims. Some of the notable victims are INA Group (Croatia’s Largest Oil Company), SHELL (British Petroleum), IndiaBulls (Indian Finance Firm) etc. 

On checking their DLS (Data Leak Site), we can see their updated email addresses as:-

• support@pubstorm.com
• support@pubstorm.net

While checking the domain, we can see the following page:-

From this, it is evident that the group hosts a Roundcube Mail for their communication with victims. The same is the result for the other domain.

Let’s dive deep into the Registration Details: Both domains are registered on the same day, i.e., 2nd May, 2025.

From the above details, the IP address hosting the Clop Group’s newly registered Website pubstorm[.]com is located in Germany with IP: 185.55.242.97

Similarly, the IP address associated with pubstorm[.]net is being Geo-Located to Vanautu with IP: 147.45.112.231 (ATTOW).

From both of these records, we came to a common denominator here. Both IPs belongs to the same AS: Alviva Holding Limited, though the AS Numbers are different (AS209132 and AS209272). 

In a Nutshell:-

Domain: pubstorm.net
IP: 147.45.112.231
ASN: 209132 Alviva Holding Limited 
ASN COUNTRY: VANUATU

Domain: pubstorm.com
IP: 185.55.242.97
ASN: 209272 Alviva Holding Limited
ASN COUNTRY: SEYCHELLES

Additionally, Clop Ransomware heavily relies on the same provider for P2P share networks (Torrent).

As both these ASNs belong to Alviva Holdings Ltd, let’s dig deep into our Point-of-Interest…

MALICIOUS INDICATORS OF ALVIVA HOLDINGS

While tracing the historic records of Alviva Holdings, a few incidents came into the limelight that had used the same ASN for malicious purposes in the past. They are:-

By checking the ASN activity (ALVIVA Holdings), it is found that these ASNs have been extensively used to serve Cobalt Strike (a hack tool used for legitimate purpose, but abused by Threat Actors) since 2009. 

ASN ANALYSIS: EXTENDED

Upon checking the Peer Connections of the listed Alviva Holdings Limited, few more pointers came to limelight. 

AS209272 has 1 peer: FOP Gubina Lubov Petrivna (Ukraine 🇺🇦)

AS209132 has 1 peer: Verdina Ltd (Belize 🇧🇿)

These are notable cyber operations where the listed ASNs were spotted:

FOP (Luhansk 🇺🇦)

• SPECTR Malware Delivery targeting the Ukrainian Government via SpearPhishing in March 2022 by Vermin (UAC-0020)🇷🇺
• Magecart Group Infrastructure in 2019
• APT28 Fancy Bear 🇷🇺 in 2025
• Nokowaya Ransomware Group hosted Onion Domains in 2022
• ShadowSyndicate Infra in 2025

Verdina Ltd 🇧🇿

Verdina[.]net is a popular Go-To platform for cyber criminals for Booter/Stresser Service. It allows Bulletproof Hosting Service and is also notable for providing DDoS for Hire Services back in 2016.

Apart from this, the following are the significant Cyber Crimes associated with Verdina Hosting:-

• Microsoft Credential Harvesting Campaign by Storm-1575: 2023
• Fake Copyright Infringement Targeting Facebook 2FA: 2024
• BianLian Ransomware Host: 2024
• Cobalt Strike, Koi Loader, L3MON RAT, Brute Ratel & Sliver: 2025

As Verdina is also hosted in Belize, it offers nonresidents the ability to establish offshore accounts (Shell Companies), and it also evades the DOJ’s prying eyes from getting on the radar. 

TRACING THE FOOTPRINTS: ALVIVA HOLDING LIMITED

In October 2021, there is a massive financial leak of wealthy individuals and public officials titled “The Pandora Papers”. The International Consortium of Investigative Journalists (ICIJ) released 11.9 million leaked documents.

Upon analyzing the leaked data, I found Alviva‘s Registered Address and Owner of the Entity, traced to a Russian National, Denis Nachaev.

Following is the Registered Address of Alviva Holdings Limited:-

SUITE 1, SECOND FLOOR
SOUND & VISION HOUSE
FRANCIS RACHEL STR.
VICTORIA, MAHE
SEYCHELLES

On scanning the records for the same address, I came across 12 entities with the same address:-

Upon scanning the web, I came across more data points that attribute to the same address:-

• AISLE SOLUTIONS LLP
• STS CORPORATION LLP people
• VION COMMERCE LTD
• Coinweb Holdings Co Ltd
• Sabi Group Ltd
• AS209272 Alviva Holding Limited
• Danitta Group LTD., 181353
• Cryptocurrency Exchange | Nominex
• FUN.CO PUBLISHING INC
• VDSCLOUD-NET — Alviva Holding Limited
• AS209132 Alviva Holding Limited
• Bitay Limited
• InPusher.com
• Greensoftwaresupport.com — Alviva Holding Limited Suite
• RDPGuard.com
• G NETWORKS LTD
• LETS EXCHANGE (letsexchange.io)
• FUN.CO PUBLISHING INC
• WAVES PLATFORM
• Dolce500
• Accent Markets Group Inc
• AUTHENTIC CAPITAL
• Yupiter Investland Ltd
• Quifas (QFS)
• bemine.club: CLOUD HOSTING
• Taipei Digital LTD
• BCFLEX.COM (CRYPTO TRADE)
• Danitta Group
• Bomax Invest
• Vectro Group, Inc
• Quotex — Investing Platform
• LegalCoinsFXTrade
• Greatgem Corporation : Diamond

This confirms that the given address is a bogus/fake address being used to operate Shell Companies.

ALPHA CONSULTING: BRIDGING CONNECTION ALVIVA HOLDING LTD

Upon analyzing the leak, it is found that Alviva Holding Limited is an entity which is directly connected to Alpha Consulting, via Denis Nachaev, who got blacklisted by the US Securities & Exchange and included the same in PAUSE Program (Public Alert — Unregistered Soliciting Entities).

Apparently, it also appeared in the biggest leak, “PANDORA PAPERS”.

As a result of this leak, the company Alpha Consulting Limited lost its license in March 2025. 

Now, it’s present among the blacklisted agencies in the world.

WHO IS DENIS NACHAEV?

As per the leaked records, Denis Nechaev is a Russian National who is a Beneficial Owner of Alviva Holding Limited.

Denis’s address is being geo-located to Kaliningrad from the Pandora Paper Records.

Here is the registered address of the holder: DENIS NACHAEV

9 KOMMUNISTICHESKAIA STR
APT. 7, SVETLYI CITY
KALININGRADSKAIA OBLAST
RUSSIAN FEDERATION

While checking the genuineness of the provided address, it is found that this address is not (yet) associated with any other entities in the leak and is solely assigned to Denis Nachaev.

However, another interesting fact uncovered while scanning the database of Pandora Papers for Shell Companies is:

There are many “DENIS” profiles in the Panama Papers Leak

This brings us a strong intention of a fake identity is being used to operate the shell corporates. 

On delving deep into this matter, we came across a news report got published in 2023 about the identity of DENIS. 

Now, we understand the “DENIS” Mystery. 

UK LAWS — A HOTBED FOR MALPRACTICE

The shell companies found in the Panama Papers are registered in the UK with UK addresses, not in the Seychelles. These companies often use virtual addresses in the UK, such as the example of Green Line LP being registered at “Unit 111337” in a one-room office in Bloomsbury, London, where many other shell firms are also registered. These are not physical offices where business is conducted but rather addresses used for registration purposes, a common practice for shell companies.

Why???

The anonymity comes from a loophole in UK law that exempts limited partnerships in England, Wales, and Northern Ireland from disclosing their “persons with significant control” (PSCs). Unlike regular UK limited companies, these partnerships don’t need to publicly name their ultimate owners, allowing hidden control by individuals (often from Russia or former Soviet states).

In short -> SEYCHELLES serves as the Operational Base for Alpha Consulting, which recruits local nominees (like Denis) to act as fronts via Shell Companies registered in the UK (Virtually). 

NOTE: If we dig down the rabbit hole, we encounter Geo-political angle where it points to high profile cases.

CONCLUSION

Alviva Holdings Limited is spanning around multiple IPs.

Countries like Seychelles, Vanuatu, Belize are hubs of Illicit Activities such as Money Laundering, Tax Evasion, Drug Trafficking, etc.

Registering an Operational Base in these countries with flawed UK Laws helps the Criminals to flourish their Crime Network.

If you come across an entity whose location is traced back to these countries, it’s a Red Flag for you to capture it and start the investigation, but check for other parameters before making an early assumption.

KEY-TAKEAWAYS

Cyber Criminals who operate on different verticals, such as Ransomware, Stealer Logs, Server Stressing (DDoS) might not be aware that their subscribed services such as Domain Registration, Server Hosting etc are black-listed.

The bogus identity operative (here, Seychelles National) might not know what type of business they are registering to, as they are working for a nominal fee per registration.

The anonymity provided by UK Law is being exploited by Criminals
Such type of Internet/Proxy Services serves as the hub of Cyber Crime, such as DDoS, Ransomware Attack, Bulletproof Hosting and much more.

WHAT CAN YOU DO?

• Blocking all the IPs from a subnet is not an effective method; however, you may put it in a Grey list where your SIEM Alert gets hit if any of the connections are found to be from the discussed ASN Network.

• Do not rely on a single platform to assess risk, as some Threat Intelligence platforms supply outdated info such as: Some IPs are transported to other ASN, but still show with old ASNs records. 

• The maliciousness of an IP can be judged by its Infection Recency which helps to defend the threat before it targets your environment.

IOCs

https://pubstorm.net/mail/
https://147.45.112.231/mail/
https://srv.pubstorm.net/mail/
https://pubstorm.net/mail/
https://185.55.242.97/mail/
https://pubstorm.com/mail/
https://srv.pubstorm.com/mail/
147.45.112.231
185.55.242.97
pubstorm.net
pubstorm.com

EXTRA READING

https://www.financeuncovered.org/stories/russian-owned-shell-company-provider-loses-seychelles-licence-following-finance-uncovered-investigation
https://www.financeuncovered.org/stories/seychelles-secrets-island-tourist-paradise-alpha-consulting-valkovskaya-uk-economic-crime-act
https://www.icij.org/investigations/pandora-papers/seychelles-offshore-services-provider-highlighted-in-the-pandora-papers-shuts-down-operations/
https://verify365.app/offshore-firms-role-in-putin-inner-circle/
https://www.bbc.com/news/uk-67276289

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings!

NOTE: The article is purely Individual Research and is only associated with THE RAVEN FILE and is not subjected to be used/published anywhere without the Author’s consent.