Skip to main content
Threat IntelligenceEmerging Threats

US Indicts Russians for Running Bulletproof Hosting Services

Government building with tall windows and daylight streaming in, abstract agents in background.

"With today’s actions, the FBI and our partners are striking at the core services that cybercriminals rely on to attack U.S. critical infrastructure," Brett Leatherman, assistant director of the FBI Cyber Division, said in a statement.

The defendants and the companies named in the indictment

A federal indictment unsealed in 2024 charges three Russian nationals and two St. Petersburg–based companies with running what prosecutors describe as "bulletproof hosting" services that directly supported cyberattacks on critical infrastructure. The three individuals charged are Alexander Alexandrovich Volosovik, 43, identified as the owner of Media Land; Yulia Vladimirovna Pankova, 29, identified as the owner of ML.Cloud; and Kirill Andreevich Zatolokin, 34. The indictment — filed in the Northern District of Ohio — alleges the defendants conspired to commit and aid computer fraud, conspired to commit wire fraud, committed wire fraud, and conspired to commit money laundering.

What prosecutors say Media Land and ML.Cloud provided

According to officials cited in the indictment, Media Land and ML.Cloud provided criminal actors with infrastructure and technical support to infect systems with malware and deploy ransomware for extortion. Prosecutors allege the companies also supported criminal marketplaces, handled fraudulent domain registrations, and hosted platforms that cybercriminals used to carry out phishing and brute-force attacks. Investigators say they identified a consistent, long-running pattern of criminal activities facilitated by the individuals and the two hosting providers.

Scale of the alleged campaign: victims, losses, and geography

Officials said victims were located across 21 U.S. states and in multiple countries. In the United States, the indictment identified victims in nine cities within the Northern District of Ohio. Internationally, victims were located in Australia, the European Union, the United Arab Emirates, Canada and the United Kingdom. Investigators attribute cumulative losses from the attacks facilitated by the alleged services at more than $62 million.

U.S. and allied responses: indictment, sanctions, and a reward offer

The case combines criminal charges with diplomatic and economic actions. Officials said the trio and their companies had been under investigation since 2019. In November 2025, the U.S. Treasury and officials from the United Kingdom and Australia imposed sanctions on Volosovik, Zatolokin, Pankova, Media Land and ML.Cloud. Separately, the State Department announced a reward of up to $10 million for information on government-linked associates of the alleged cybercriminals and for information about malicious use of Media Land or ML.Cloud. A. Tysen Duva, assistant attorney general of the Justice Department’s Criminal Division, characterized the alleged operation as running "the criminal infrastructure that powered attacks on critical institutions across our nation," and said the defendants' actions "put the American public at risk."

How technologists, policymakers, and affected enterprises are positioned

  • Technologists and security teams: The allegations focus attention on the role of so-called bulletproof hosting and its technical support for malware, phishing, and brute-force campaigns. Teams defending networks will be watching for infrastructure tied to Media Land and ML.Cloud and for related domain and hosting indicators identified in legal filings and sanctions lists.
  • Policymakers and regulators: The case illustrates a coordinated toolbox — criminal charges, economic sanctions, and public reward offers — used by U.S. and allied authorities. Regulators tracking third‑party risk and cross‑border cyber threats will likely use the case as an example of combining law enforcement and economic measures to deter infrastructure providers that enable crime.
  • Affected enterprises and procurement leaders: Organizations that rely on third‑party hosting and domain registration services may revisit vendor vetting and contractual protections that address abuse of hosted services for malware distribution, ransomware operations, and fraudulent domains.

This is a multipart action that mixes criminal prosecution with sanctions and incentives for public assistance; the indictment, the cross-border sanctions in November 2025, and the State Department reward together signal an effort to reduce the anonymity and safe haven that investigators say enabled the alleged enterprise. The indictment alleges the defendants operated from St. Petersburg as of 2024 and that their services were central to campaigns inflicting over $62 million in losses — data points that underline why investigators framed the action as a strike against the "core services" cybercriminals use. The record released with the case will determine how widely the operational links can be traced and whether additional actors are identified through the reward program and continuing investigations.

Original story on CyberScoop