Federal prosecutors on Monday unsealed a grand jury indictment charging three Russian nationals and their two St. Petersburg-based companies with running the bulletproof hosting infrastructure that prosecutors allege powered ransomware attacks by LockBit, Cl0p, BlackSuit, Play, and at least 13 other criminal groups — a decade-long operation that caused more than $62 million in documented victim losses across hospitals, schools, banks, and government agencies in 21 states, according to the DOJ press release. The same day, the State Department posted a $10 million reward for anyone with information on “foreign government-linked associates” of the three operators — a signal that US investigators suspect ties between Media Land and the Russian state that go beyond commercial cybercrime.
The indictment, returned under seal by a federal grand jury in the Northern District of Ohio on December 5, 2024, and kept sealed for more than seven months, names Alexander Alexandrovich Volosovik, 43, who operated under the alias “Yalishanda” on criminal forums and owned Media Land; Kirill Andreevich Zatolokin, 34, who collected customer payments and coordinated services with criminal clients; and Yulia Vladimirovna Pankova, 29, who owned ML.Cloud and handled its legal and financial operations, prosecutors allege. All three face charges of conspiracy to commit computer fraud, conspiracy to commit wire fraud, ten counts of wire fraud, and conspiracy to commit money laundering. None is believed to be in custody, and Russia’s lack of an extradition treaty with the United States means the practical pressure of the charges falls primarily on financial and intelligence channels rather than on any near-term prospect of trial.
What Is Bulletproof Hosting — and Why It Matters More Than the Ransomware Groups Themselves
Bulletproof hosting is the enabling layer of the ransomware economy. Rather than deploying malware or carrying out intrusions directly, bulletproof hosting providers supply the servers, domains, and anonymization infrastructure that ransomware operators need to host attack payloads, run command-and-control systems, operate phishing kits, process cryptocurrency ransoms, and house stolen data markets. They market themselves as “bulletproof” by deliberately ignoring abuse complaints and resisting law enforcement takedown orders — a commercial proposition that requires physical operations in jurisdictions with either lenient laws or government protection that insulates them from Western legal process, according to the standard definition of such services.
Media Land’s particular technical edge was its fast-flux service, which the indictment describes in detail. Fast-flux is a DNS-based evasion technique that assigns dozens of rotating IP addresses to a single domain, cycling through them every three to ten minutes, so that any given snapshot of which IP address maps to which domain becomes obsolete almost immediately. Volosovik advertised the service directly on the darknet market Exploit in December 2018 under the headline “Leading-edge FastFlux! Bulletproof hosting,” with pricing ranging from $150 per month to manage a single domain through his fast-flux panel to $500 per month for unlimited domains, according to GovInfoSecurity’s review of the indictment. For the ransomware groups that relied on this infrastructure, fast-flux made tracing their attacks back to any stable origin server nearly impossible — which is precisely why a competent host offering it could charge market rates and maintain long-term client relationships.
The result was a criminal supply chain operating at industrial scale. Prosecutors allege that Media Land’s client database held approximately 389 usernames and more than 5,000 registered domains, according to court documents reviewed by GovInfoSecurity. Seventeen or more criminal groups used the infrastructure, including some of the most prolific ransomware operations of the past decade — LockBit, described by the FBI as the most deployed ransomware variant worldwide; Cl0p, responsible for mass-exploitation campaigns against enterprise file-transfer products affecting thousands of organizations simultaneously; BlackSuit, the subject of DOJ disruption actions in August 2025; and Play, against which the FBI had identified approximately 900 victim entities as of May 2025. Beyond ransomware, the indictment alleges Media Land’s servers also hosted eight of the largest stolen credit card marketplaces operating in 2023, including Briansclub, Bidencash, Cardhouse, Club2crd, crdclub, Fullzinfo, Swipestore, and Verified, according to GovInfoSecurity.
How Media Land Operated Across a Decade
Media Land’s operational history, as laid out in court documents, traces back to at least 2014 — two years before Volosovik and Zatolokin began openly advertising on cybercriminal forums. The company was formally incorporated in 2015, according to Russian business records, in a semi-industrial district of St. Petersburg.
By August 2016, Volosovik and Zatolokin were advertising on the Dark Money cybercrime forum under the pseudonym “podzemniy,” writing: “Hello! We are glad to offer you BP hosting services. We keep any projects.” The offer was unambiguous: any criminal activity was welcome, and law enforcement pressure would be absorbed rather than passed on to the client, according to GovInfoSecurity’s review of the indictment.
The defendants, prosecutors allege, repeatedly ignored or falsified abuse reports, rotated infrastructure to stay ahead of takedowns, and accepted cryptocurrency payments to protect client identities. Media Land maintained physical infrastructure not only in Russia but in China, Finland, the Netherlands, and the United States — a multi-jurisdictional footprint that complicated the coordination required for any single-country enforcement action and explains why the investigation required seven years and the active participation of Dutch law enforcement before charges could be unsealed, according to the DOJ press release.
The indictment also names Ermac and RedAlert, two Android banking Trojans, among the malware families prosecutors allege were hosted on Media Land’s infrastructure — a reminder that the operation’s criminal clientele extended beyond ransomware operators to attackers targeting consumers’ banking credentials on mobile devices, per GovInfoSecurity.
Forty-Two Victims Across Twenty-One States
The indictment names 42 US victim organizations across 21 states. US Attorney David M. Toepfer for the Northern District of Ohio described the scope plainly: the victims include “banks, schools, government entities, hospitals, and media companies” — institutions that collectively represent critical functions Americans depend on daily. International victims spanned Australia, European Union member states, the UAE, Canada, and the UK, according to TechNadu’s coverage.
The harm did not stop at data theft or financial losses. Play ransomware, one of Media Land’s documented clients according to prosecutors, disrupted Rackspace’s email service — an attack that knocked out email access for thousands of Rackspace customers and illustrates how a single infrastructure provider’s client list can translate into service disruptions at national scale. In the broader European context, the FSB’s Centre 16 — whose cyber operations the July 13 EU-UK sanctions package specifically named — attempted an attack on Poland’s power grid during the winter of 2025 that authorities said could have cut electricity to 500,000 citizens if it had succeeded, according to the UK government’s sanctions announcement.
Last year, Americans filed more than one million cybercrime complaints with the FBI, reporting over $20 billion in total losses — a 26% increase in a single year, according to the DOJ. The Media Land operation is part of the ecosystem that generated those losses.
Why Shutting Down One Host Is Never Enough
The most significant enforcement challenge this case illustrates is also the least discussed in the indictment itself: the Hydra problem in bulletproof hosting enforcement.
FBI Cyber Division Assistant Director Brett Leatherman told CNN after the unsealing that the FBI believes Media Land “is likely still shielding criminal activity” even after the indictment and sanctions — and that the bureau is already monitoring the criminal ecosystem for signs of client migration: “We’re looking for that now — to understand where those shifts may be and what opportunities are available to us in law enforcement and in the intelligence community to target those.”
The pattern Leatherman described is well-documented. When a bulletproof hosting provider is disrupted, its clients typically migrate to alternative providers within days, reconstructing operational infrastructure with minimal interruption, a pattern documented in prior cases. The 2023 Genesis Market takedown generated exactly this outcome — security researchers documented the emergence of replacement markets within weeks. The more recent Stark Industries seizure in May 2026, when Dutch investigators seized 800 servers, produced the same pattern, with GreyNoise researchers documenting what they described as a “seamless migration” of attack infrastructure to new autonomous systems with virtually identical behavioral signatures, as reported by TechTimes.
The strategic logic of Operation Riptide, the FBI’s 60-day campaign launched on June 9, 2026, under Executive Order 14390 and the Trump administration’s National Cyber Strategy, is precisely this: rather than pursuing individual ransomware groups that reconstitute quickly, apply simultaneous pressure across multiple shared-infrastructure providers — the bulletproof hosts, the criminal VPNs, the cryptocurrency laundering rails — to collapse the ecosystem rather than merely relocate it, the FBI explained at the operation’s launch. First VPN Service fell in May 2026. Stark Industries lost its servers the same month. Media Land’s principals now face criminal charges and multi-nation sanctions. The test of whether any of this amounts to a lasting strategic shift, or another round of Hydra-head removal, will be visible in the FBI’s ongoing monitoring of where Media Land’s 17-plus criminal client groups move next.
First-Ever Joint EU-UK Cyber Sanctions Add Diplomatic Weight
The day before the indictment was unsealed, the European Union and the United Kingdom jointly imposed coordinated cyber sanctions against Media Land, ML.Cloud, and Volosovik personally — the first time the two jurisdictions have simultaneously acted under their respective cyber sanctions regimes. The EU designated nine Russian individuals and four entities as part of its 21st sanctions package, while the UK added 24 names to its blacklist, according to Euronews.
The joint package went beyond Media Land. The EU and UK specifically attributed a FSB Centre 16 cyberattack on Poland’s energy grid to Russia, named GRU senior leadership figures, and sanctioned individuals behind Rybar LLC, a Russian state-backed disinformation operation that has interfered in EU elections, according to the UK Foreign Office. Paul Foster, director of the UK’s National Cyber Crime Unit, said the action reflects “the strength of close collaboration between international partners” to identify, disrupt, and bring cybercriminals to justice.
The US and UK had previously sanctioned all three defendants and both companies in November 2025, joined in part by Australia, through coordinated Treasury Department action. The November 2025 action also sanctioned Aeza Group, another Russian bulletproof hosting provider, after it attempted to evade prior sanctions by rebranding through a UK-registered front company called Hypercore, according to TechCrunch.
Russian State Ties and the $10 Million Question
Michael DeBolt, president and chief intelligence officer at cybersecurity firm Intel471, described bulletproof hosting providers in structural terms to CNN: they are “fuel to the cybercrime underground,” and Media Land’s impact “should be measured by the years of criminal activity it has supported, enabled and sustained.”
The State Department’s Rewards for Justice program went further than law enforcement language typically does. Its $10 million offer is specifically targeted at information on “foreign government-linked associates” of the three defendants, their malicious cyber activities, or “foreign government-linked use of Media Land or ML.Cloud.” That phrasing — which explicitly invites intelligence on whether Volosovik, Zatolokin, or Pankova were acting in service of, or with protection from, the Russian state — is unusual even in the context of cybercrime bounties, which more commonly seek information on the suspects’ identities or locations.
The UK’s Foreign Commonwealth and Development Office noted in its November 2025 designation that Volosovik had worked with Evil Corp, a cybercrime group whose senior leadership the US Treasury has previously linked to FSB directives, according to BleepingComputer’s reporting on the prior sanctions. The EU’s July 13 sanctions package, announced the day before the indictment unsealing, explicitly named FSB Centre 16 as the coordinating body behind the broader ecosystem of state and non-state cyber actors operating against EU member states, according to the Kyiv Independent.
All three defendants are presumed innocent. All three are believed to be in Russia. Without an extradition treaty, and with Moscow maintaining its established practice of warning Russian nationals against travel to countries that routinely transfer criminal suspects to US jurisdiction, the prospects for any of them facing trial are slim. What the charges, sanctions, and bounty collectively accomplish is the closing of financial pathways, the imposition of reputational costs, and — through the Rewards for Justice mechanism — an active effort to extract intelligence from someone, anywhere, who knows whether the Kremlin was doing more than simply looking the other way.
Frequently Asked Questions
What is bulletproof hosting, and why is it more dangerous than ransomware itself?
Bulletproof hosting refers to commercial internet infrastructure services that deliberately market to cybercriminals and resist law enforcement pressure — accepting any client, ignoring abuse complaints, and using technical measures like fast-flux DNS rotation to make the hosted activity nearly impossible to trace and shut down. The reason it can be more dangerous than any individual ransomware gang is structural: when a specific ransomware group is dismantled, its members may be arrested or its infrastructure seized, but a bulletproof host serves dozens of groups simultaneously. Take down one ransomware gang and you remove one threat actor. Take down the host — if you can — and you disrupt the entire client list. But the reverse is also true: if criminal clients migrate to a new host within days, the disruption is temporary. Media Land, according to prosecutors, served 17 or more criminal groups at once, meaning its infrastructure was more valuable to the criminal ecosystem than any single ransomware operation it hosted.
Are LockBit, Cl0p, and Play still active despite losing their Media Land hosting?
All three groups were considered active as of mid-2026. LockBit has demonstrated resilience through variants and imitators despite a major international disruption operation in 2024. Cl0p continues its pattern of mass-exploitation campaigns targeting widely used enterprise software. Play was linked to approximately 900 identified victim entities as of May 2025 and has continued operating. Losing a bulletproof hosting provider is a disruption, not a death sentence for these groups — they maintain technical expertise, established criminal relationships, and the resources to procure alternative infrastructure, often within days of a provider’s shutdown. The FBI has confirmed it is already watching the ecosystem to track where Media Land’s clients migrate.
Can the three Russian defendants ever actually be prosecuted?
Only if they leave Russia. The United States and Russia have no extradition treaty, and Russia has a consistent practice of not surrendering its nationals to face criminal charges abroad. Moscow renewed warnings to Russian nationals following this indictment against traveling to countries that routinely transfer suspects to the US. In practical terms, the indictment functions primarily as a financial and reputational instrument: the accompanying sanctions block access to the US financial system and create secondary-sanctions risk for anyone transacting with the defendants or their companies, while the $10 million Rewards for Justice bounty targets a different goal — extracting intelligence about the defendants’ possible ties to the Russian government, which the State Department’s specific phrasing suggests is an active investigative question.
What should organizations do to reduce their exposure to the ransomware operations that relied on Media Land’s hosting?
CISA and the Joint Ransomware Task Force released practical guidance alongside the November 2025 sanctions targeting Media Land, specifically advising internet service providers to implement “know your customer” processes that require verified identity from new hosting clients, and advising network defenders to monitor for and block traffic from known bulletproof hosting autonomous system numbers. For organizations, the most directly relevant steps remain well-established: maintain offline and immutable backups, enforce multi-factor authentication across all remote access points, patch VPN and firewall appliances on a priority basis, and use endpoint detection and response tools configured to flag lateral movement patterns — because the ransomware groups prosecutors allege were hosted by Media Land all depended on gaining a foothold and moving through victim networks before deploying their encryption payload.
