US Indicts Russians Over Bulletproof Hosting | #ransomware | #cybercrime


Charges Against the Infrastructure Behind the Attacks

US authorities unsealed an indictment Tuesday against three Russian nationals and two companies accused of running the computer infrastructure that powered ransomware attacks and other malicious cyber operations against American critical infrastructure. The State Department is offering up to $10 million and possible relocation for information. The 75-page indictment, returned in December 2024 in the Northern District of Ohio, names 44 unnamed victims who suffered more than $62 million in losses.

A hacker - artistic impression.
A hacker – artistic impression. Image credit: David Whelan via Wikimedia

Key Takeaways

  • Alexander Alexandrovich Volosovik, 43, Kirill Andreevich Zatolokin, 34, and Yulia Vladimirovna Pankova, 29, all of St. Petersburg, are charged with conspiracy to commit and aid and abet computer fraud, conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering, alongside their companies Media Land LLC and ML.Cloud LLC.
  • Victims span 21 states and several countries and include banks, schools, government entities, hospitals, and media companies, with ransomware groups LockBit, BlackSuit, and Play among those using the infrastructure.
  • Treasury sanctioned all three individuals and the companies in November 2025 alongside the UK and Australia, and the European Union announced its own sanctions on July 13.

The businesses sold what the industry calls bulletproof hosting: servers and internet services deliberately engineered to survive detection and defy law enforcement takedowns. Shell companies, anonymous domain registrations, rapid IP rotation. The point is not the technology. The point is that nobody can turn it off.

Media Land, owned by Volosovik, and ML.Cloud, owned by Pankova at the time of the investigation, both operated from St. Petersburg. Media Land was incorporated in 2015 and works out of a semi-industrial part of the city. Its infrastructure reached across China, Finland, the Netherlands, and the United States.

Volosovik, known online as “Yalishanda,” advertised the services on criminal forums, according to the indictment, promoting features useful to cybercriminals. Zatolokin collected payments and coordinated services with clients. The companies gave their customers the means to infect victim computers with malware and ransomware, then extort those victims for money and cryptocurrency.

Who Got Hit

US Attorney David M. Toepfer for the Northern District of Ohio described the reach.

“The victims in this case are not only in Ohio, but also in 20 other states across the country, touching every aspect of Americans’ lives. They include banks, schools, government entities, hospitals, and media companies,” he said.

“In fact, Media Land controlled vast numbers of servers which controlled thousands of IP addresses that hosted some of the most vicious ransomware gangs on the planet,” Toepfer said.

“They also offered a service known as bulletproof hosting,” he added. “The cyber criminals used bulletproof hosting to evade security software so they could infect computer systems of organizations and then hold them for ransom.”

Assistant Attorney General A. put it more directly: “From their overseas haven, these defendants ran the criminal infrastructure that powered attacks on critical institutions across our nation.”

The case started small. A single hacking-related crime reported to the FBI’s Cleveland office. “As the FBI is so good at doing, they started peeling back layers of the onion and realized that this was far larger than your typical hacker, just trying to break into somebody’s computer system,” Toepfer said. Individuals in Cleveland, Elyria, Akron, Medina, and Valley View were among those targeted.

Prosecutors say cybercrime marketplaces including Briansclub, Cardhouse, crdclub, Club2crd, Verified, Fullzinfo, Swipestore, and Bidencash ran on Media Land infrastructure. Volosovik maintained direct contact with Dmitry Khoroshev, the sanctioned LockBit administrator known as “Lockbitsupp.”

The Reward and the Reality

The Rewards for Justice offer is narrower than it looks. It seeks information on foreign government-linked associates of the three, their malicious cyber activities, or foreign government-linked use of Media Land or ML.Cloud. That phrasing is doing work: the government wants to know who else is in the building.

“To this day, they are likely still shielding criminal activity,” Brett Leatherman, assistant director of the FBI’s cyber division, said of Media Land.

The FBI is now watching for displacement. “We’re looking for that now — to understand where those shifts may be and what opportunities are available to us in law enforcement and in the intelligence community to target those,” Leatherman said.

Russia and the United States have no extradition treaty. Moscow recently warned Russians against traveling to countries that routinely send suspects to the US. All three defendants are known residents of St. Petersburg. When Treasury sanctioned them, it released a photograph of Zatolokin holding a weapon and wearing a Media Land t-shirt.

The investigation was led by the FBI’s Cleveland Division with help from CISA and OFAC, plus the National Police and Public Prosecutor’s Office of the Netherlands, the UK’s National Crime Agency, and Australian authorities.

“The AFP welcomes and supports the United States’ Department of Justice announcement on the indictment on the principal Media Land operator, Aleksandr Alexandrovich Volosovik – also known as Yalishanda,” AFP Assistant Commissioner Cyber and Special Investigations Sandra Booth said. “AFP’s cooperation with partner law enforcement agencies in the United States and internationally is critical in disrupting criminal activity. The AFP remains committed to continuing its relentless work to target cybercriminals.”

Why the Landlords Matter More Than the Tenants

Ransomware crews get the headlines. The hosting companies keep them running. Michael DeBolt, president and chief intelligence officer at security firm Intel471, described bulletproof hosting providers as “fuel to the cybercrime underground.”

Western governments have been working this angle for years. In February 2025, the US, UK, and Australia jointly sanctioned Zservers, another Russian bulletproof host tied to LockBit, designating two Russian nationals who ran it. That action followed similar coordinated moves against Evil Corp. The pattern is consistent: go after the layer beneath the attack, because attackers are replaceable and infrastructure is not. A parallel case saw four men indicted over a proxy network built from aging routers that had earned over $46 million since 2004.

The results speak to the difficulty. Sanctions did not stop Media Land. It took another year to unseal charges, and the defendants remain in a country that will not send them anywhere. Meanwhile the attacks kept coming. Groups like ShinyHunters have exploited unpatched enterprise software to breach over 100 organizations, and crews such as TeamPCP have moved into ransomware-as-a-service partnerships with criminal platforms. Every one of them needs somewhere to host.

The Justice Department’s own framing acknowledges the limit. The indictment and the reward were announced together, which is what you do when arrest is not currently on the table. The charges are real. The extradition is theoretical. The $10 million is aimed at whoever decides the theoretical is worth testing. Reporting on the case notes that US and European law enforcement have tracked these three for years without laying a hand on them.

Written by Vytautas Valinskas






Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW