US Charges Three Russians for Running 'Bulletproof' Hosting That Powered Ransomware and Phishing Attacks on 42 American Organisations
A grand jury indictment unsealed this week names Aleksandr Volosovik, Kirill Zatolokin, and Yulia Pankova as the operators behind two companies that rented out hidden, hard-to-shut-down internet infrastructure to criminals worldwide.

Key points
- The US Department of Justice unsealed an indictment on Tuesday charging three Russian nationals and two companies with running cybercrime support services.
- The two companies, ML.Cloud and Media Land, provided what is known as "bulletproof hosting", meaning server space rented specifically to criminals because the operators ignore law-enforcement complaints.
- Criminals who used the services attacked at least 42 organisations across 21 US states, causing tens of millions of dollars in losses.
- The indictment was originally returned in December 2024 but kept sealed until this week.
- The US government is offering up to $10 million for information leading to the arrest of the three suspects.
Three Russian nationals ran a digital landlord service for criminals. That is the short version of what the US Department of Justice alleged when it unsealed a grand jury indictment on Tuesday.
The named defendants are Aleksandr Alexandrovich Volosovik, Kirill Andreevich Zatolokin, and Yulia Pankova. The Justice Department says the three operated two companies, ML.Cloud and Media Land, which sold bulletproof hosting, a type of server rental service deliberately set up to ignore police requests and keep criminal websites alive.
Servers from the two companies sat in China, the Netherlands, Finland, and the United States itself.
Who got hurt, and should ordinary people be worried?
Yes, in a practical sense. The Justice Department says criminals who rented space from ML.Cloud and Media Land used it to run phishing campaigns (fake emails and websites designed to steal passwords and bank details), ransomware attacks (where hackers lock a victim's files and demand payment to unlock them), and DDoS attacks (floods of fake internet traffic designed to knock a website or service offline). They also hosted online marketplaces where stolen data and criminal tools were bought and sold.
At least 42 organisations in 21 US states were hit, with total losses running into the tens of millions of dollars. The victims are not named in public filings, but attacks of this type routinely affect hospitals, schools, and small businesses, meaning the ripple effect reaches patients, students, and customers.
If you receive an unexpected email asking you to click a link or reset a password, treat it with suspicion. Contact the company directly using a phone number you already trust.
The indictment was handed down in December 2024 but kept under seal, meaning it was hidden from public view, until this week. None of this is entirely new ground: the US and its allies announced sanctions against the same individuals and companies in late 2025, which already named them publicly.
What is new is the criminal charge itself, and the $10 million reward the US government announced Tuesday for information on the trio's whereabouts. Relocation assistance is also on offer, a detail that signals authorities consider the leads genuinely hard to obtain.
All three suspects are believed to remain in Russia. Extradition from Russia to the United States is effectively impossible under current political conditions, as SecurityWeek noted in its original coverage, though prosecutions of Russian bulletproof-hosting administrators have succeeded before when suspects travelled abroad.



