Can Washington make a Russian bulletproof hosting business toxic enough to disrupt it without getting its alleged operators into a US courtroom?
Federal prosecutors on Tuesday unsealed an indictment against Aleksandr Volosovik, Yulia Pankova and Kirill Zatolokin, three Russian nationals accused of helping cybercriminals stay online through the St. Petersburg-based businesses Media Land and ML Cloud, according to The Record. The US also posted a reward of up to $10 million for information tied to the case.
Can a US indictment pressure Media Land if the defendants are in Russia?
The indictment, filed in December 2024 and now public, charges all three defendants with conspiracy to commit and aid and abet computer fraud, conspiracy to commit wire fraud, wire fraud and conspiracy to commit money laundering.
Prosecutors say Volosovik, also known as "Yalishanda," owned Media Land. They say Pankova owned ML Cloud. Zatolokin allegedly collected payments for Media Land and coordinated services with cybercriminal customers, authorities said when announcing sanctions last year.
The case lands in a hard jurisdictional reality. Authorities say all three are known residents of St. Petersburg, and Russia and the US do not have an extradition treaty. That means the indictment may not quickly produce arrests, unless defendants travel to a country willing to transfer them to US custody.
Still, unsealing matters. It turns a sealed criminal case into a public map of alleged operators, companies, charges and customer relationships. It also gives banks, payment firms, cybersecurity teams and infrastructure providers names to screen against, rather than a vague warning about Russian cybercrime infrastructure.
“From their overseas safe haven, these defendants ran the criminal infrastructure that powered attacks on critical institutions across our nation,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Their actions put the American public at risk.”
The indictment cites 44 unnamed victims and $62 million in losses from cybercriminal groups allegedly aided by Media Land and ML Cloud.
How did bulletproof hosting allegedly keep cybercriminal customers online?
Bulletproof hosting is the business model prosecutors are attacking here. These providers allegedly sell internet infrastructure to customers engaged in crime, while helping them avoid takedowns, abuse complaints and law enforcement scrutiny.
The allegation against Media Land and ML Cloud is stronger than passive hosting. Prosecutors say the companies provided both infrastructure and technical support to cybercriminals. That distinction matters because the case targets the service layer that keeps attacks running, not only the hackers launching them.
Authorities said in December that ransomware groups including Lockbit, BlackSuit and Play used services from Media Land and ML Cloud. Prosecutors also said cybercrime marketplaces including Briansclub, Cardhouse, crdclub, Club2crd, Verified, Fullzinfo, Swipestore and Bidencash used Media Land infrastructure. Those forums specialized in stolen credit card information, according to the source material.
A practical reading: resilient hosting gives criminal groups more time. More time to run phishing pages. More time to host malware. More time to move stolen data. More time to rotate domains and servers before defenders can burn the infrastructure down.
The indictment does not publicly name the 44 victims. It also does not say, at least in the available source material, exactly which victim losses are tied to which criminal groups or infrastructure nodes.
| Case element | Public allegation |
|---|---|
| Companies | Media Land and sister company ML Cloud |
| Location | St. Petersburg, Russia |
| Defendants | Aleksandr Volosovik, Yulia Pankova, Kirill Zatolokin |
| Victim impact | 44 unnamed victims, $62 million in losses |
| Reward | Up to $10 million under the State Department’s Rewards for Justice program |
| Criminal charges | Computer fraud conspiracy, wire fraud conspiracy, wire fraud, money laundering conspiracy |
Why is the US targeting the business layer behind Russian cybercrime?
The harder question is whether prosecutors are trying to punish these alleged operators or break the supply chain that made them useful.
The indictment points to the second goal. The named defendants are not accused merely of participating in a single ransomware incident or fraud campaign. They are accused of running infrastructure that other cybercriminals used. That makes the case part of a wider enforcement push against the suppliers behind attacks: hosting, payments, malware distribution and marketplaces.
CNN, citing the Justice Department announcement, reported that prosecutors described Media Land as supporting criminal groups that targeted hospitals, schools and banks across the US, causing $62 million in damages. CNN also quoted Brett Leatherman, assistant director of the FBI’s cyber division, saying of Media Land: “To this day, they are likely still shielding criminal activity.”
For fintech and markets readers, the relevance is direct. Stolen card forums, fraud shops and ransomware crews don’t operate in isolation. They create costs for payment processors, banks, crypto platforms, insurers and listed companies that must absorb fraud, incident response, recovery work and disclosure risk.
The State Department’s $10 million reward also shows what investigators still want. The announcement emphasizes information about possible foreign government links to the activities of Media Land and ML Cloud. The available source material does not establish such links. It says the government is looking for information.
That distinction is important. The indictment alleges criminal infrastructure. The reward notice signals that investigators are probing whether there is another layer above or around it.
Which parts of the Media Land case could actually disrupt operations?
The next phase will test whether a public indictment can move from naming alleged operators to choking off infrastructure.
The defendants were already sanctioned by the US and two allies in November, according to The Record. A third business sanctioned at the time, Data Center Kirishi, is not mentioned in the indictment. That gap matters because sanctions lists and criminal cases do not always map perfectly onto each other.
Near-term signals will come from law enforcement and security researchers. If authorities release technical indicators, companies can hunt for past exposure to Media Land or ML Cloud infrastructure. If domains, servers or payment channels are seized, the case shifts from pressure to disruption.
Future filings could also sharpen the story. Prosecutors may connect specific Media Land or ML Cloud services to named campaigns, customer accounts, payment flows or victim sectors. Right now, the public record identifies alleged operators, charges, losses, companies and several criminal groups or marketplaces that authorities say used the infrastructure.
The strongest scenario for the US is not just an indictment sitting on a docket. It is an indictment paired with allied pressure, sanctions enforcement, infrastructure seizures and travel risk for the accused. The weaker scenario is familiar: named suspects remain in Russia, customers migrate, and investigators chase the next hosting provider.
That is the watch item now. The Media Land case has raised the cost of being named as a bulletproof hosting operator. Its real impact depends on whether investigators can turn exposure into outages.
Impact Analysis
- The indictment publicly names alleged operators and businesses behind Russian bulletproof hosting infrastructure.
- Russia’s lack of an extradition treaty with the US makes arrests unlikely unless defendants travel abroad.
- The public case gives banks, payment firms and cybersecurity teams concrete names to screen and block.
Originally published on XOOMAR. For more news and analysis, visit XOOMAR.
Top comments (0)