Cybercrime
,
Fraud Management & Cybercrime
,
Ransomware
3 Russians Indicted for Running Services Tied to $62M in Ransomware, Other Losses

A trio of Russian nationals is charged with running online infrastructure known as bulletproof hosting that facilitated cyberattacks against American critical national infrastructure.
See Also: Experts Offer Insights from Theoretical to the Realities of AI-enabled Cybercrime
A U.S. federal grand jury indictment unsealed Tuesday accuses Alexander Alexandrovich Volosovik, 43, Kirill Andreevich Zatolokin, 34, and Yulia Vladimirovna Pankova, 29, with conspiring to commit computer fraud, wire fraud and money laundering.
The indictment, dated Dec. 5, 2024, also lists Media Land, owned by Volosovik, and ML.Cloud, owned by Pankova, and accuses the services of facilitating the theft, extortion and illicit collection of at least $62 million from victims located across 21 states and multiple countries.
The charges are the result of a seven-year investigation led by the FBI, with assistance from the Cybersecurity and Infrastructure Security Agency, the Office of Foreign Assets Control and Australian, British and Dutch law enforcement, said the U.S. Department of Justice. The FBI has been continuing to target key criminal actors, infrastructure and financial networks that facilitate cybercrime and online-enabled fraud, under the banner of Operation Riptide.
“This is another step in our broader campaign to shrink the space in which these actors can operate, forcing them to work harder, take greater risks and lose the anonymity they depend on,” said Brett Leatherman, assistant director of the FBI Cyber Division.
The governments of Australia, Britain and the United States in November 2025 issued joint sanctions against the three Russians and their two companies. “The disruption and removal of bulletproof hosts is a vital step to prevent cybercriminals who prey on the victims online,” said Australian Federal Police in a Tuesday statement (see: US, Allies Sanction Russian Bulletproof Ransomware Host).
The named individuals and entities are based in St. Petersburg, Russia, although also provided infrastructure based in multiple other countries, including China, Finland, the Netherlands and the United States, according to court documents.
Prosecutors have accused Media Land and sister company ML.Cloud of providing a number of illicit services, including bulletproof hosting as well as fraudulent domain registration and fast-flux obfuscation, and said the infrastructure facilitated phishing campaigns, ransomware attacks, banking Trojans, brute-force attacks, distributed-denial-of-service attacks and hosting cybercrime forums.
“Investigators found that dozens of victim organizations were targeted by criminal groups who used Media Land’s and ML.Cloud’s services. Victim entities included banks, schools, government entities, hospitals and media companies” both in the United States and globally, according to the indictment.
According to the indictment, in August 2016, Volosovik and Zatolokin used the moniker “podzemniy” to advertise their services on the cybercrime forum Dark Money, writing: “Hello! We are glad to offer you BP hosting services. We keep any projects. All except child porn.” Specific services listed included bulletproof hosting virtual private services, domain registration, kernel-based virtual machines and fast-flux services, which use rapidly changing IP addresses to obscure the actual domain behind any given activity.
The indictment said Volosovik, using the moniker “Yalishanda,” posted in December 2018 an advertisement on darknet market Exploit subject-lined “Leading-edge FastFlux! Bulletproof hosting.” Pricing, presumably per month, ranged from $150 to manage one domain in the FastFlux panel, to $500 for unlimited domains.
Over 17 ransomware groups, including BlackSuit, Cl0p, LockBit and Play relied on Media Land’s bulletproof hosting services to perpetrate their attacks, from infecting victims with crypto-locking malware and exfiltrating data, to facilitating victim communications and laundering ransoms paid in cryptocurrency, said the FBI’s Cyber Division and Dutch law enforcement.
Defendants, as part of their bulletproof service offerings, allegedly ignored multiple abuse notifications warning that multiple phishing and ransomware campaigns and other types of malware, including the Ermac and RedAlert Android banking Trojans designed to steal victims’ credentials, were being deployed from Media Land or ML.Cloud servers.
The defendants’ infrastructure allegedly hosted numerous “carder” sites devoted to selling stolen payment card data, including in 2023 the following sites: Bidencash, Briansclub, Cardhouse, Club2crd, crdclub, Fullzinfo, Swipestore and Verified.
Prosecutors said the services ran from 2014 until at least the date of the indictment.
Alongside the unsealing of the indictment, the U.S. Department of State, as part of its Rewards for Justice program, on Tuesday announced a reward of up to $10 million and potential for being relocated “for actionable information on foreign government-linked associates of Pankova, Volosovik and Zatolokin, their malicious cyber activities, or foreign government-linked use of Media Land or ML.Cloud.” The program also maintains a Tor-based channel for tips.
The European Council on Monday announced sanctions against nine Russians and four entities for supporting illicit cyber ecosystem activities, including Media Land, its owner Volosovik, as well as ML.Cloud.
“Media Land LLC has been facilitating a wide array of malware attacks against both EU member states and globally, leading to significant financial losses. It enabled cybercriminals to engage in malicious cyber activities, including large-scale ransomware and phishing operations that targeted critical infrastructure and essential services among EU member states,” the council said.
“The sanctions were introduced to make it harder for cybercriminals to continue their activities and to disrupt their criminal business model,” said Dutch National Police and the Public Prosecutor’s Office of the Netherlands.
