The U.S. Department of Justice unsealed criminal charges against three Russian nationals who operated Media Land and ML.Cloud, bulletproof hosting services that provided command-and-control infrastructure, malware delivery systems, and phishing hosting to ransomware groups including LockBit, Blacksuit, and Play. The charges extend law enforcement pressure to the infrastructure operators who enable ransomware campaigns, rather than focusing solely on the groups that execute attacks.
Media Land and ML.Cloud’s Role in LockBit, Blacksuit, and Play Campaigns
Media Land and ML.Cloud are bulletproof hosting operations — services built to resist law enforcement takedown attempts by ignoring abuse complaints from victims and refusing cooperation with law enforcement agencies. The DOJ criminal charges describe both services as central infrastructure suppliers to ransomware gangs and other cybercriminals, providing servers across Russia, China, Finland, the Netherlands, and the United States. The multi-country server footprint was constructed to complicate jurisdictional determinations and delay enforcement action against any single location.
The confirmed customers of Media Land and ML.Cloud infrastructure include LockBit, Blacksuit, and Play ransomware groups. The services provided malware command-and-control hosting, malware delivery infrastructure, and phishing campaign servers — the operational backbone that ransomware affiliates use to communicate with infected systems, distribute additional payloads, and run initial access campaigns.
How Volosovik, Pankova, and Zatolokin Structured the Operation
DOJ named three defendants in the criminal charges. Aleksandr Volosovik, operating under the alias “Yalishanda,” owned and operated Media Land and served as the principal figure behind the bulletproof hosting business. Yulia Pankova owned ML.Cloud and managed the legal and financial aspects of the operation, creating structural separation between the technical infrastructure and direct financial transparency. Kirill Zatolokin managed customer payments for the bulletproof hosting service, handling the transactional layer that connected cybercriminal customers to the infrastructure they rented.
The division of responsibilities among the three defendants reflects a deliberate operational structure common in sophisticated cybercriminal infrastructure: technical ownership, financial management, and customer-facing payment handling are assigned to separate individuals to reduce the exposure of any single person and create legal complexity for prosecutors.
$62 Million in Damages Across Banks, Schools, and Hospitals in 21 States
DOJ’s charges document confirmed harm attributable to the ransomware operations that Media Land and ML.Cloud hosted. Victims in at least 21 U.S. states suffered more than $62 million in damages. The victim categories include banks, schools, hospitals, government entities, and media companies — institutions that represent common ransomware targets because of operational disruption risk and the tendency to carry cybersecurity insurance that can fund ransom payments.
The scale of documented harm across 21 states and multiple institution types explains why law enforcement has prioritized bulletproof hosting prosecutions alongside ransomware group disruptions: hosting services are shared infrastructure, meaning that a single bulletproof host may enable attacks against hundreds of distinct victim organizations across multiple ransomware groups’ campaigns.
From November 2025 Sanctions to July 2026 Criminal Charges
The charges unsealed on July 15 are the second enforcement phase against Media Land, ML.Cloud, and their operators. The United States, United Kingdom, and Australia jointly sanctioned both companies and the three defendants in November 2025, designating them as entities providing material support to cybercriminal operations. The criminal charges represent the formal legal follow-on to those sanctions, adding federal criminal exposure beyond the financial restrictions the sanctions imposed.
The U.S. State Department simultaneously announced a $10 million reward for information on the defendants’ whereabouts, activities, or connections to foreign governments. That reward structure, standard in cases where defendants remain outside U.S. custody, reflects the expectation that extradition from Russia is unlikely through conventional law enforcement channels.
Bulletproof hosting prosecutions carry strategic value that individual ransomware group disruptions do not: ransomware organizations frequently reconstitute after law enforcement action by rebuilding operations on alternative hosting infrastructure. LockBit’s February 2024 infrastructure seizure left surviving affiliates seeking alternative platforms; Blacksuit and Play have continued operating while law enforcement pursued other targets. By charging the hosting operators who served all three groups, DOJ targets a shared dependency that multiple ransomware ecosystems rely on simultaneously.
