Department of Justice charges three Russians in $63M cybercrime scheme tied to ransomware infrastructure

Department of Justice charges three Russians in $63M cybercrime scheme tied to ransomware infrastructure

The indictment targets operators of bulletproof hosting services that enabled LockBit, BlackSuit, and other ransomware groups to attack victims across 21 US states.

Three Russian nationals have been charged by the US Department of Justice for allegedly running a cybercrime operation that cost Americans more than $62 million. The December 2024 indictment, unsealed this week by the US Attorney’s Office for the Northern District of Ohio, paints a picture of a sophisticated hosting infrastructure purpose-built to shield some of the world’s most prolific ransomware operators.

Alexander Alexandrovich Volosovik, 43, Kirill Andreevich Zatolokin, 34, and Yulia Vladimirovna Pankova, 29, allegedly ran two St. Petersburg-based companies, Media Land, LLC and ML.Cloud, LLC, that prosecutors say conducted “malicious cyber activities against U.S. critical infrastructure.” Victims spanned 21 states.

Advertisement

The bulletproof hosting playbook

Media Land reportedly emerged in 2015 as a prominent player in Russia’s bulletproof hosting market, though Volosovik, who allegedly goes by the alias “Yalishanda,” has been a figure in that space since around 2009-2010. The companies provided the digital backbone for ransomware groups including LockBit and BlackSuit, two names that have become synonymous with large-scale extortion campaigns targeting hospitals, schools, and critical infrastructure.

LockBit operated as a ransomware-as-a-service platform, essentially franchising its malware to affiliates who would carry out attacks and split the ransom payments. BlackSuit has targeted everything from municipal governments to healthcare systems. Both groups relied heavily on infrastructure like what Media Land allegedly provided.

Sanctions pile on from three countries

On November 19, 2025, the US Treasury Department coordinated with authorities in the UK and Australia to impose sanctions against Volosovik, Zatolokin, and their companies. Sanctions in this context make it functionally illegal for any person or entity in the sanctioning countries to do business with the designated individuals or companies. For a hosting provider that needs to interact with the global internet infrastructure, including domain registrars, payment processors, and upstream bandwidth providers, sanctions can be operationally devastating even if the defendants never set foot outside Russia.

The crypto connection and what it means for markets

While the unsealed indictment doesn’t explicitly center on cryptocurrency, the ransomware ecosystem it describes runs almost entirely on digital assets. Ransomware payments are overwhelmingly denominated in Bitcoin or, increasingly, stablecoins like Tether. LockBit affiliates routinely demanded payment in Bitcoin, and blockchain analytics firms have traced hundreds of millions in ransom flows through on-chain transactions.

For crypto exchanges and service providers, cases like this tend to accelerate compliance requirements. The Office of Foreign Assets Control (OFAC) sanctions against Media Land and its operators mean that any exchange processing transactions linked to these entities could face severe penalties.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

Department of Justice charges three Russians in $63M cybercrime scheme tied to ransomware infrastructure

Department of Justice charges three Russians in $63M cybercrime scheme tied to ransomware infrastructure

The indictment targets operators of bulletproof hosting services that enabled LockBit, BlackSuit, and other ransomware groups to attack victims across 21 US states.

Three Russian nationals have been charged by the US Department of Justice for allegedly running a cybercrime operation that cost Americans more than $62 million. The December 2024 indictment, unsealed this week by the US Attorney’s Office for the Northern District of Ohio, paints a picture of a sophisticated hosting infrastructure purpose-built to shield some of the world’s most prolific ransomware operators.

Alexander Alexandrovich Volosovik, 43, Kirill Andreevich Zatolokin, 34, and Yulia Vladimirovna Pankova, 29, allegedly ran two St. Petersburg-based companies, Media Land, LLC and ML.Cloud, LLC, that prosecutors say conducted “malicious cyber activities against U.S. critical infrastructure.” Victims spanned 21 states.

Advertisement

The bulletproof hosting playbook

Media Land reportedly emerged in 2015 as a prominent player in Russia’s bulletproof hosting market, though Volosovik, who allegedly goes by the alias “Yalishanda,” has been a figure in that space since around 2009-2010. The companies provided the digital backbone for ransomware groups including LockBit and BlackSuit, two names that have become synonymous with large-scale extortion campaigns targeting hospitals, schools, and critical infrastructure.

LockBit operated as a ransomware-as-a-service platform, essentially franchising its malware to affiliates who would carry out attacks and split the ransom payments. BlackSuit has targeted everything from municipal governments to healthcare systems. Both groups relied heavily on infrastructure like what Media Land allegedly provided.

Sanctions pile on from three countries

On November 19, 2025, the US Treasury Department coordinated with authorities in the UK and Australia to impose sanctions against Volosovik, Zatolokin, and their companies. Sanctions in this context make it functionally illegal for any person or entity in the sanctioning countries to do business with the designated individuals or companies. For a hosting provider that needs to interact with the global internet infrastructure, including domain registrars, payment processors, and upstream bandwidth providers, sanctions can be operationally devastating even if the defendants never set foot outside Russia.

The crypto connection and what it means for markets

While the unsealed indictment doesn’t explicitly center on cryptocurrency, the ransomware ecosystem it describes runs almost entirely on digital assets. Ransomware payments are overwhelmingly denominated in Bitcoin or, increasingly, stablecoins like Tether. LockBit affiliates routinely demanded payment in Bitcoin, and blockchain analytics firms have traced hundreds of millions in ransom flows through on-chain transactions.

For crypto exchanges and service providers, cases like this tend to accelerate compliance requirements. The Office of Foreign Assets Control (OFAC) sanctions against Media Land and its operators mean that any exchange processing transactions linked to these entities could face severe penalties.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.