US Indicts Two Russian Bulletproof Hosting Firms Over $62 Million in Cybercrime Losses
US prosecutors have charged three Russian nationals and two Russia-based hosting companies with supporting cybercriminal operations that allegedly caused more than $62 million in victim losses.
The defendants include Medialand LLC, also known as Media Land, and its affiliated company ML.Cloud LLC. Prosecutors accuse them of providing servers, domain services, fast-flux infrastructure, and other technical support to ransomware operators and cybercriminal groups.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The indictment was returned in December 2024 and unsealed in the Northern District of Ohio on July 14, 2026. The charges remain allegations, and every defendant retains the presumption of innocence unless proven guilty in court.
Three Russian nationals and two companies charged
The Justice Department announcement names Alexander Alexandrovich Volosovik, Kirill Andreevich Zatolokin, and Yulia Vladimirovna Pankova. All three come from St. Petersburg, Russia.
Volosovik allegedly owned Medialand and promoted its services on cybercriminal forums. Pankova allegedly owned ML.Cloud during the investigation and indictment period, while Zatolokin worked with Volosovik on Medialandโs operations.
Prosecutors charged the individuals and companies with conspiracy to commit and aid and abet computer fraud, conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering.
| Defendant | Age | Alleged role |
|---|---|---|
| Alexander Alexandrovich Volosovik | 43 | Owner and general director of Medialand |
| Kirill Andreevich Zatolokin | 34 | Medialand employee involved in payments and coordination |
| Yulia Vladimirovna Pankova | 29 | Owner of ML.Cloud during the investigation period |
| Medialand LLC | Not applicable | St. Petersburg-based hosting provider |
| ML.Cloud LLC | Not applicable | Related hosting and payment infrastructure company |
What is bulletproof hosting?
Bulletproof hosting providers supply servers and internet infrastructure while deliberately resisting complaints, takedown requests, and law enforcement intervention. They may register domains privately, move services between addresses, or ignore evidence that customers use their systems for crime.
These companies differ from legitimate hosting providers that investigate abuse reports and suspend customers who distribute malware, host phishing pages, or violate applicable laws.
According to the indictment, Medialand and ML.Cloud marketed or leased infrastructure to customers who used it for ransomware, malware, phishing, brute-force attacks, criminal marketplaces, and fraudulent domains.
| Alleged service | How criminals used it |
|---|---|
| Dedicated servers | Hosting malware, ransomware, stolen data, and command-and-control systems |
| Domain registration | Creating fraudulent domains while obscuring the real operator |
| Fast-flux hosting | Frequently changing IP addresses to make malicious services harder to block |
| Payment infrastructure | Receiving hosting fees and allegedly handling proceeds connected to cybercrime |
| Abuse-report handling | Ignoring or providing misleading responses to complaints |
Prosecutors allege the companies ignored abuse reports
The 75-page federal indictment alleges that Volosovik and Zatolokin operated email addresses and domains that appeared to provide independent abuse-reporting services.
When victims and security companies submitted reports, the defendants allegedly ignored them, sent false or misleading responses, and continued leasing infrastructure to malicious customers.
Prosecutors also accuse them of offering fast-flux services to help customers evade security controls. This technique distributes malicious domains across changing IP addresses, making infrastructure harder to identify and disrupt.
42 victims across 21 US states were targeted
The Justice Department says criminal groups using Medialand and ML.Cloud targeted 42 victims in 21 states. The organizations operated in sectors including healthcare, education, finance, government, and media.
The alleged clients infected systems with malware and ransomware, stole data, demanded payments, and directed victims to cryptocurrency accounts. Other customers allegedly used the infrastructure for phishing, brute-force attacks, criminal marketplaces, and denial-of-service activity.
Medialandโs network extended beyond Russia. Prosecutors identified infrastructure operating from China, Finland, the Netherlands, and the United States.
- Banks and other financial organizations
- Schools and educational institutions
- Government entities
- Hospitals and healthcare organizations
- Media companies
- Other businesses across the United States
Ransomware groups allegedly used Media Land
The US Treasury previously identified Media Land as infrastructure used by ransomware groups including LockBit, BlackSuit, and Play. It also linked the providerโs systems to distributed denial-of-service attacks against US companies and critical infrastructure.
The Treasury Departmentโs sanctions announcement describes Media Land as a key launching point for ransomware. It says Volosovik advertised the company under the alias โYalishandaโ and provided technical troubleshooting to ransomware and denial-of-service actors.
Treasury identified ML Cloud as a sister company whose technical infrastructure often operated alongside Media Landโs systems.
US offers a reward of up to $10 million
The State Departmentโs Rewards for Justice program announced a reward of up to $10 million and possible relocation for qualifying information connected to the case.
The Media Land reward offer seeks information about people acting at the direction or under the control of a foreign government who participate in malicious cyber activity against US critical infrastructure.
Investigators also want information concerning foreign government-linked associates of Volosovik, Zatolokin, or Pankova, as well as foreign government-linked use of Media Land or ML.Cloud.
| Reward detail | Information |
|---|---|
| Maximum amount | Up to $10 million |
| Additional support | Possible relocation |
| Main requirement | Actionable information involving foreign government-linked malicious cyber activity |
| Companies covered | Media Land and ML.Cloud |
| Individuals covered | Volosovik, Zatolokin, Pankova, and relevant associates |
US, UK, and Australia imposed sanctions
The United States imposed sanctions on the defendants and their companies in November 2025. The United Kingdom joined the measures in full, while Australia adopted part of the coordinated sanctions package.
OFAC designated Volosovik, Zatolokin, Pankova, Media Land, ML Cloud, Media Land Technology, and Data Center Kirishi. Media Land Technology and Data Center Kirishi were identified as wholly owned subsidiaries of Media Land.

Under the OFAC sanctions, property and interests in property belonging to designated parties within US jurisdiction are blocked. US persons generally cannot conduct transactions with them unless OFAC authorizes the activity.
International agencies supported the investigation
The FBIโs Cleveland Division leads the investigation with assistance from the Cybersecurity and Infrastructure Security Agency and the Treasury Departmentโs Office of Foreign Assets Control.
International assistance came from the Dutch National Police, the Netherlands Public Prosecution Service, the United Kingdomโs National Crime Agency, the UK Foreign, Commonwealth and Development Office, the Australian Department of Foreign Affairs and Trade, and the Australian Federal Police.
Justice Department prosecutors from the Computer Crime and Intellectual Property Section and the US Attorneyโs Office for the Northern District of Ohio are handling the case.
The case forms part of Operation Riptide
The action falls under Operation Riptide, an ongoing FBI campaign targeting cybercriminals, technical infrastructure, and financial networks that support cybercrime and fraud.
The Justice Department says Americans reported more than $20 billion in cybercrime losses during the previous year, representing a 26% annual increase. The government did not say Operation Riptide began solely because of that increase.
The new charges focus on service providers rather than only the ransomware operators who used them. Disrupting hosting, payments, domains, and fast-flux networks can make multiple criminal groups more expensive and difficult to operate.
Why bulletproof hosting providers matter
Ransomware groups depend on infrastructure for payload delivery, command-and-control traffic, data storage, leak sites, payments, and communication. Providers willing to ignore abuse reports allow those operations to remain online longer.
The indictment alleges that Medialand and ML.Cloud did more than unknowingly host a small number of malicious customers. Prosecutors claim the companies knowingly designed, promoted, and maintained services for cybercriminal clients.
The unsealed charging document also alleges that the defendants helped conceal criminal proceeds and maintained infrastructure in the United States and other countries to hide the origin and ownership of funds.
Charges are allegations, not convictions
The indictment presents the governmentโs allegations and does not establish guilt. Prosecutors must prove the charges beyond a reasonable doubt before a court can convict the defendants.
The Justice Department case summary does not announce convictions or sentences. It also does not state that US authorities have taken the three individual defendants into custody.
The Rewards for Justice notice asks people with relevant information to use the programโs official reporting options.
FAQ
The indictment charges Medialand LLC, also known as Media Land, and ML.Cloud LLC. Both companies were based in St. Petersburg, Russia.
The individual defendants are Alexander Alexandrovich Volosovik, Kirill Andreevich Zatolokin, and Yulia Vladimirovna Pankova.
The Justice Department says the alleged cybercrimes resulted in more than $62 million in victim losses. Criminal groups using the infrastructure allegedly targeted 42 victims across 21 US states.
Prosecutors allege that customers used the infrastructure for ransomware, malware, phishing, brute-force attacks, fraudulent domains, criminal marketplaces, data theft, extortion, and denial-of-service attacks.
Rewards for Justice offers up to $10 million for qualifying information involving foreign government-linked malicious cyber activity, associates of the named defendants, or foreign government-linked use of Media Land or ML.Cloud.
No. An indictment contains allegations, and the defendants remain presumed innocent unless prosecutors prove the charges beyond a reasonable doubt.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages