Back to Feed
Nation-stateJul 15, 2026

US charges alleged operators of Russian bulletproof hosting service

US charges three Russian nationals for operating bulletproof hosting services for ransomware gangs.

Summary

U.S. federal prosecutors have charged three Russian nationals for allegedly operating bulletproof hosting services, Media Land and ML.Cloud, which facilitated ransomware attacks causing over $62 million in damages. These services provided infrastructure for various cybercriminal activities, including C2 operations and phishing. The U.S. Department of State is offering a reward for information on associates of these actors, and the defendants and companies have also faced sanctions from the UK, Australia, and the EU.

Full text

US charges alleged operators of Russian bulletproof hosting service By Sergiu Gatlan July 15, 2026 03:45 AM 0 U.S. federal prosecutors have unsealed charges against three Russian nationals, accusing them of providing bulletproof hosting (BPH) services to ransomware gangs that caused over $62 million in damages to victims worldwide. BPH providers lease servers that help hinder disruption efforts targeting their malicious activities, including malware delivery, command-and-control operations, phishing attacks, and illicit content hosting. They market themselves as "bulletproof" by ignoring victims' complaints and subsequent law enforcement takedown requests. The two BPH services, Media Land and ML.Cloud, also provided customers with infrastructure in multiple countries outside Russia, including China, Finland, the Netherlands, as well as the United States. According to an indictment unsealed on Tuesday, Aleksandr Volosovik (who used the alias "Yalishanda" on cybercriminal forums) owned Media Land, Yulia Pankova owned ML Cloud and assisted with legal and financial matters, and Kirill Zatolokin collected customer payments. The U.S. Department of State is now also offering a reward of up to $10 million through its Rewards for Justice (RFJ) program for any information "on foreign government-linked associates of these actors, their malicious cyber activities, or foreign government-linked use of these companies." Have information on these individuals or their associated companies? Your assistance could lead to a reward and relocation. Submit your tip today.https://t.co/bVD7q0dG3O pic.twitter.com/M9HMX9svej — Rewards for Justice (@RFJ_USA) July 14, 2026 The United States, the United Kingdom, and Australia previously sanctioned the three defendants and two companies in November for providing attack infrastructure and tech support to multiple ransomware and cybercrime operations, including Lockbit, Blacksuit, and Play. The Department of the Treasury's Office of Foreign Assets Control (OFAC) said at the time that Media Land's infrastructure was used to launch distributed denial-of-service (DDoS) attacks against U.S. companies and critical infrastructure, including telecommunications systems. "The victims in this case are not only in Ohio, but also in 20 other states across the country, touching every aspect of Americans' lives. They include banks, schools, government entities, hospitals, and media companies," said United States Attorney David M. Toepfer. "Together with our international partners, we will aggressively combat the efforts of individuals who hide behind computers anywhere in the world who seek to profit and wreak havoc by targeting the infrastructures that support our communities." This week, the Council of the European Union also announced sanctions against Media Land, ML.Cloud, and Alexander Volosovik, as part of the first joint cyber sanctions package issued against Russia in collaboration with the United Kingdom. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: US sanctions VPN, malware providers for enabling ransomware attacksFormer ransomware negotiator gets 4 years for BlackCat attacksAlleged Scattered Spider hacker extradited to the United StatesAuthorities dismantle 'AudiA6' ransomware crypto-laundering serviceDark web Nemesis Market vendor gets 26 years for selling drugs

Indicators of Compromise

  • domain — ML.Cloud

Entities

Lockbit (threat_actor)Blacksuit (threat_actor)Play (threat_actor)Media Land (product)ML.Cloud (product)