U.S. sentences Russian access broker to 81 months over ransomware attacks that caused $9 million in losses

A U.S. court has sentenced Russian national Aleksei Volkov to 81 months in prison for helping major cybercrime groups, including the Yanluowang ransomware crew, breach American organizations and extort victims for millions. The Justice Department said Volkov enabled dozens of ransomware attacks across the United States, causing more than $9 million in actual losses and more than $24 million in intended losses.

According to DOJ, Volkov worked as an initial access broker, a criminal role that focuses on breaking into company networks and then selling that access to other threat actors. Prosecutors said his co-conspirators used the access he provided to deploy malware, encrypt data, disrupt business operations, and demand cryptocurrency ransoms that sometimes reached into the tens of millions of dollars.

The case highlights a part of the ransomware economy that often receives less attention than the extortion crews themselves. Access brokers like Volkov do not always launch the final attack, but they help make it possible by finding vulnerabilities, obtaining unauthorized entry, and handing the keys to ransomware operators. DOJ said Volkov also received a share of the ransom proceeds when victims paid.

What the Justice Department says Volkov did

DOJ said Volkov, 26, from St. Petersburg, gained unauthorized access to corporate and organizational networks, then sold that access to other cybercriminals. Those partners went on to infect victim systems with malware that encrypted files and blocked access to data. In some cases, victims paid to recover access. In others, the attackers published stolen information on leak sites.

The department said Volkov was indicted in both the Southern District of Indiana and the Eastern District of Pennsylvania. Italian police arrested him in Rome, and he was later extradited to the United States. On November 25, 2025, he pleaded guilty to charges from both indictments after the two cases were consolidated in Indiana.

As part of that plea, Volkov admitted he and his co-conspirators hacked numerous victim networks, stole data, deployed ransomware, demanded cryptocurrency payments, and divided the proceeds. DOJ said he agreed to pay full restitution, including at least $9,167,198.19 to known victims, and to forfeit equipment he used in the crimes.

Why this case matters

The sentence shows how law enforcement is increasingly targeting the support layers behind ransomware, not only the public-facing brands or malware operators. Initial access brokers sit near the front of the ransomware pipeline, and prosecutors have repeatedly described them as critical enablers because they shorten the time between intrusion and extortion. In Volkov’s case, DOJ tied his activity directly to repeated attacks against U.S. companies and to tens of millions of dollars in ransom demands.

The case also underlines how international coordination now plays a central role in cybercrime prosecutions. Volkov was arrested in Italy and extradited to the United States, which gave prosecutors a path to bring an overseas access broker into a U.S. courtroom instead of leaving the case at the indictment stage.

Key details at a glance

Charges and penalties

DOJ said Volkov pleaded guilty to four counts from the Indiana case: unlawful transfer of a means of identification, trafficking in access information, access device fraud, and aggravated identity theft. He also pleaded guilty to two counts from the Pennsylvania case: conspiracy to commit computer fraud and conspiracy to commit money laundering.

That mix of charges reflects the broader way ransomware cases now get prosecuted. Authorities no longer focus only on the final extortion demand. They also pursue the credential theft, fraud, laundering, and identity abuse that support the whole criminal chain.

Separate BlackCat case puts ransomware negotiators under scrutiny

The Volkov sentencing came as U.S. prosecutors continue another high-profile ransomware case involving insiders from the cyber incident response world. Last week, prosecutors accused Angelo Martino, a former ransomware negotiator for DigitalMint, of working with the ALPHV, also known as BlackCat, ransomware group while helping victims negotiate with the same criminals. Reporting on the case says Martino surrendered to U.S. Marshals on March 10 and faces a charge of conspiracy to interfere with interstate commerce by extortion.

That case follows the December 2025 guilty pleas of Ryan Goldberg and Kevin Martin, two cybersecurity professionals charged with helping carry out BlackCat ransomware attacks against multiple U.S. victims. DOJ said both pleaded guilty to conspiracy to obstruct commerce through extortion and face up to 20 years in prison.

DigitalMint said Martino’s alleged conduct violated company policy and ethical standards. In a statement reported by The Record, the firm said it terminated Martino and Martin after learning of their behavior and condemned their actions as criminal conduct that ran against the company’s purpose and values.

What this means for defenders

• Ransomware ecosystems still rely heavily on specialist roles such as access brokers, negotiators, and money movers.
• Law enforcement pressure now reaches beyond the malware operators and into the people who supply access or insider information.
• Organizations should treat exposed credentials, weak remote access controls, and unpatched internet-facing systems as direct ransomware risk, because those are the kinds of openings access brokers monetize. This point follows from DOJ’s description of Volkov’s role in finding vulnerabilities and unauthorized entry paths.

FAQ