The U.S. Department of Justice has gone after the plumbing. On July 14, 2026, prosecutors in the Northern District of Ohio unsealed an indictment charging three Russian nationals and two St. Petersburg companies with operating the “bulletproof hosting” infrastructure that ransomware crews rode into American hospitals, schools, banks, and government offices. The tallied victims — spread across 21 states — lost more than $62 million.
The defendants are Alexander Alexandrovich Volosovik, 43; Kirill Andreevich Zatolokin, 34; and Yulia Vladimirovna Pankova, 29, all of St. Petersburg, Russia, along with their companies Media Land LLC and ML.Cloud LLC. The charges: conspiracy to commit and aid and abet computer fraud, conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering.
None of the three is in custody. All remain in Russia, beyond the practical reach of extradition — which makes this indictment, like so many aimed at Russian cybercriminals, an exercise in naming, sanctioning, and disrupting rather than arresting. But the target itself is what makes the case significant. This is not a prosecution of a ransomware gang. It is a prosecution of the gang’s landlord.
What Bulletproof Hosting Actually Is
Ransomware operators need somewhere to run their command-and-control servers, stage stolen data, and host leak sites. Ordinary hosting providers terminate that activity the moment an abuse complaint lands. Bulletproof hosts do the opposite: they knowingly market infrastructure to criminals, ignore abuse reports, route around takedown requests, and shuffle client servers between jurisdictions to stay ahead of law enforcement.
According to the indictment, Media Land did exactly that — and did it at scale. Its infrastructure operated out of multiple countries, including China, Finland, the Netherlands, and the United States, giving its criminal clientele geographic resilience and a buffer against any single country’s police. Zatolokin, prosecutors say, handled customer-facing operations and payments; Pankova managed the money. Volosovik — who has operated online for years under the handle “Yalishanda” — sat at the top.
This is the same category of target that law enforcement has increasingly prioritized in 2025 and 2026. It is the logic behind the Dutch FIOD’s seizure of Stark Industries’ 800 servers and behind the Google- and FBI-led takedown of the NetNut residential proxy network. Kill the ransomware crew and another rises to take its place; degrade the infrastructure layer they all rent from, and you raise costs across the entire ecosystem at once.
The Tenants: LockBit, BlackSuit, and Play
What elevates this indictment from routine to notable is the client list. The U.S. Treasury previously sanctioned Media Land and ML.Cloud specifically because their infrastructure hosted operations for three of the most destructive ransomware brands of the decade:
- LockBit — for years the most prolific ransomware-as-a-service operation on earth, responsible for thousands of victims before its 2024 disruption.
- BlackSuit — the Royal successor whose empire was dismantled in Operation Checkmate in 2025.
- Play — the Russia-linked crew behind attacks on critical infrastructure and municipal targets worldwide.
When Treasury sanctions and a DOJ indictment converge on the same two companies, it signals a coordinated strategy: cut off the money, then cut off the operations. Media Land’s hosting was, in effect, shared tooling for the ransomware economy — and the government is now treating the provider as jointly responsible for what its tenants did.
The Ohio Connection
The case was built in Cleveland, and the FBI’s Cleveland Field Office led the investigation. That local nexus matters legally — venue in the Northern District of Ohio rests in part on victims within the state — but the damage was national. Prosecutors described victims that “touch every aspect of Americans’ lives”: banks, schools, government entities, hospitals, and media companies across 21 states.
The indictment itself was returned in December 2024 and sat under seal for more than eighteen months while investigators built out the financial and infrastructure picture. Unsealing it now, alongside the Treasury designations, is the disruption event — a public marker that names the operators, freezes what assets can be frozen, and puts every future client on notice that renting from a sanctioned host carries its own legal exposure.
Why an Un-Arrestable Indictment Still Matters
It is fair to ask what a charging document accomplishes against three people who will never see a U.S. courtroom voluntarily. The honest answer is: less than an arrest, but more than nothing.
Naming the operators strips their anonymity and complicates their travel — the same pressure that eventually put an FBI-wanted GRU officer in handcuffs in Thailand when he stepped outside Russia’s protection. Sanctions choke the legitimate financial rails a hosting business needs to collect payments and pay for upstream capacity. And the public attribution gives allied registrars, transit providers, and data centers the cover they need to refuse service.
Bulletproof hosting works because it is boring and invisible — a line item on a criminal’s balance sheet. The strategic bet behind this indictment is that dragging that line item into the light, and attaching real names and real sanctions to it, makes the whole ransomware supply chain more expensive to operate. Two ransomware brands on Media Land’s client roster are already gone. The infrastructure they rented just acquired a criminal indictment of its own.
Sources
- DOJ — Three Russian Nationals and Two Companies Indicted for International Cybercrimes Resulting in More Than $62M in Victim Losses
- DOJ, Northern District of Ohio — Three Russian Nationals Indicted for International Cybercrimes
- BleepingComputer — US charges alleged operators of Russian bulletproof hosting service
- TechCrunch — US charges Russian ‘bulletproof’ web hosts over cyberattacks that netted $62M
- CNN — US indicts Russians alleged to be at center of major cybercrime network



