US Indicts Two Russian Bulletproof Hosting Firms Over $62 Million in Cybercrime Losses


US prosecutors have charged three Russian nationals and two Russia-based hosting companies with supporting cybercriminal operations that allegedly caused more than $62 million in victim losses.

The defendants include Medialand LLC, also known as Media Land, and its affiliated company ML.Cloud LLC. Prosecutors accuse them of providing servers, domain services, fast-flux infrastructure, and other technical support to ransomware operators and cybercriminal groups.

The indictment was returned in December 2024 and unsealed in the Northern District of Ohio on July 14, 2026. The charges remain allegations, and every defendant retains the presumption of innocence unless proven guilty in court.

Three Russian nationals and two companies charged

The Justice Department announcement names Alexander Alexandrovich Volosovik, Kirill Andreevich Zatolokin, and Yulia Vladimirovna Pankova. All three come from St. Petersburg, Russia.

Volosovik allegedly owned Medialand and promoted its services on cybercriminal forums. Pankova allegedly owned ML.Cloud during the investigation and indictment period, while Zatolokin worked with Volosovik on Medialandโ€™s operations.

Prosecutors charged the individuals and companies with conspiracy to commit and aid and abet computer fraud, conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering.

DefendantAgeAlleged role
Alexander Alexandrovich Volosovik43Owner and general director of Medialand
Kirill Andreevich Zatolokin34Medialand employee involved in payments and coordination
Yulia Vladimirovna Pankova29Owner of ML.Cloud during the investigation period
Medialand LLCNot applicableSt. Petersburg-based hosting provider
ML.Cloud LLCNot applicableRelated hosting and payment infrastructure company

What is bulletproof hosting?

Bulletproof hosting providers supply servers and internet infrastructure while deliberately resisting complaints, takedown requests, and law enforcement intervention. They may register domains privately, move services between addresses, or ignore evidence that customers use their systems for crime.

These companies differ from legitimate hosting providers that investigate abuse reports and suspend customers who distribute malware, host phishing pages, or violate applicable laws.

According to the indictment, Medialand and ML.Cloud marketed or leased infrastructure to customers who used it for ransomware, malware, phishing, brute-force attacks, criminal marketplaces, and fraudulent domains.

Alleged serviceHow criminals used it
Dedicated serversHosting malware, ransomware, stolen data, and command-and-control systems
Domain registrationCreating fraudulent domains while obscuring the real operator
Fast-flux hostingFrequently changing IP addresses to make malicious services harder to block
Payment infrastructureReceiving hosting fees and allegedly handling proceeds connected to cybercrime
Abuse-report handlingIgnoring or providing misleading responses to complaints

Prosecutors allege the companies ignored abuse reports

The 75-page federal indictment alleges that Volosovik and Zatolokin operated email addresses and domains that appeared to provide independent abuse-reporting services.

When victims and security companies submitted reports, the defendants allegedly ignored them, sent false or misleading responses, and continued leasing infrastructure to malicious customers.

Prosecutors also accuse them of offering fast-flux services to help customers evade security controls. This technique distributes malicious domains across changing IP addresses, making infrastructure harder to identify and disrupt.

42 victims across 21 US states were targeted

The Justice Department says criminal groups using Medialand and ML.Cloud targeted 42 victims in 21 states. The organizations operated in sectors including healthcare, education, finance, government, and media.

The alleged clients infected systems with malware and ransomware, stole data, demanded payments, and directed victims to cryptocurrency accounts. Other customers allegedly used the infrastructure for phishing, brute-force attacks, criminal marketplaces, and denial-of-service activity.

Medialandโ€™s network extended beyond Russia. Prosecutors identified infrastructure operating from China, Finland, the Netherlands, and the United States.

  • Banks and other financial organizations
  • Schools and educational institutions
  • Government entities
  • Hospitals and healthcare organizations
  • Media companies
  • Other businesses across the United States

Ransomware groups allegedly used Media Land

The US Treasury previously identified Media Land as infrastructure used by ransomware groups including LockBit, BlackSuit, and Play. It also linked the providerโ€™s systems to distributed denial-of-service attacks against US companies and critical infrastructure.

The Treasury Departmentโ€™s sanctions announcement describes Media Land as a key launching point for ransomware. It says Volosovik advertised the company under the alias โ€œYalishandaโ€ and provided technical troubleshooting to ransomware and denial-of-service actors.

Treasury identified ML Cloud as a sister company whose technical infrastructure often operated alongside Media Landโ€™s systems.

US offers a reward of up to $10 million

The State Departmentโ€™s Rewards for Justice program announced a reward of up to $10 million and possible relocation for qualifying information connected to the case.

The Media Land reward offer seeks information about people acting at the direction or under the control of a foreign government who participate in malicious cyber activity against US critical infrastructure.

Investigators also want information concerning foreign government-linked associates of Volosovik, Zatolokin, or Pankova, as well as foreign government-linked use of Media Land or ML.Cloud.

Reward detailInformation
Maximum amountUp to $10 million
Additional supportPossible relocation
Main requirementActionable information involving foreign government-linked malicious cyber activity
Companies coveredMedia Land and ML.Cloud
Individuals coveredVolosovik, Zatolokin, Pankova, and relevant associates

US, UK, and Australia imposed sanctions

The United States imposed sanctions on the defendants and their companies in November 2025. The United Kingdom joined the measures in full, while Australia adopted part of the coordinated sanctions package.

OFAC designated Volosovik, Zatolokin, Pankova, Media Land, ML Cloud, Media Land Technology, and Data Center Kirishi. Media Land Technology and Data Center Kirishi were identified as wholly owned subsidiaries of Media Land.

Under the OFAC sanctions, property and interests in property belonging to designated parties within US jurisdiction are blocked. US persons generally cannot conduct transactions with them unless OFAC authorizes the activity.

International agencies supported the investigation

The FBIโ€™s Cleveland Division leads the investigation with assistance from the Cybersecurity and Infrastructure Security Agency and the Treasury Departmentโ€™s Office of Foreign Assets Control.

International assistance came from the Dutch National Police, the Netherlands Public Prosecution Service, the United Kingdomโ€™s National Crime Agency, the UK Foreign, Commonwealth and Development Office, the Australian Department of Foreign Affairs and Trade, and the Australian Federal Police.

Justice Department prosecutors from the Computer Crime and Intellectual Property Section and the US Attorneyโ€™s Office for the Northern District of Ohio are handling the case.

The case forms part of Operation Riptide

The action falls under Operation Riptide, an ongoing FBI campaign targeting cybercriminals, technical infrastructure, and financial networks that support cybercrime and fraud.

The Justice Department says Americans reported more than $20 billion in cybercrime losses during the previous year, representing a 26% annual increase. The government did not say Operation Riptide began solely because of that increase.

The new charges focus on service providers rather than only the ransomware operators who used them. Disrupting hosting, payments, domains, and fast-flux networks can make multiple criminal groups more expensive and difficult to operate.

Why bulletproof hosting providers matter

Ransomware groups depend on infrastructure for payload delivery, command-and-control traffic, data storage, leak sites, payments, and communication. Providers willing to ignore abuse reports allow those operations to remain online longer.

The indictment alleges that Medialand and ML.Cloud did more than unknowingly host a small number of malicious customers. Prosecutors claim the companies knowingly designed, promoted, and maintained services for cybercriminal clients.

The unsealed charging document also alleges that the defendants helped conceal criminal proceeds and maintained infrastructure in the United States and other countries to hide the origin and ownership of funds.

Charges are allegations, not convictions

The indictment presents the governmentโ€™s allegations and does not establish guilt. Prosecutors must prove the charges beyond a reasonable doubt before a court can convict the defendants.

The Justice Department case summary does not announce convictions or sentences. It also does not state that US authorities have taken the three individual defendants into custody.

The Rewards for Justice notice asks people with relevant information to use the programโ€™s official reporting options.

FAQ

Which bulletproof hosting companies did the US charge?

The indictment charges Medialand LLC, also known as Media Land, and ML.Cloud LLC. Both companies were based in St. Petersburg, Russia.

Who are the individual defendants in the Media Land case?

The individual defendants are Alexander Alexandrovich Volosovik, Kirill Andreevich Zatolokin, and Yulia Vladimirovna Pankova.

How much money did victims allegedly lose?

The Justice Department says the alleged cybercrimes resulted in more than $62 million in victim losses. Criminal groups using the infrastructure allegedly targeted 42 victims across 21 US states.

What crimes are the defendants accused of supporting?

Prosecutors allege that customers used the infrastructure for ransomware, malware, phishing, brute-force attacks, fraudulent domains, criminal marketplaces, data theft, extortion, and denial-of-service attacks.

What is the $10 million Media Land reward for?

Rewards for Justice offers up to $10 million for qualifying information involving foreign government-linked malicious cyber activity, associates of the named defendants, or foreign government-linked use of Media Land or ML.Cloud.

Have the Media Land defendants been convicted?

No. An indictment contains allegations, and the defendants remain presumed innocent unless prosecutors prove the charges beyond a reasonable doubt.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages