Full Report
Officials accused three Russian nationals, Media Land and ML.Cloud of supporting cyberattacks spanning 21 U.S. states and other countries, resulting in losses surpassing $62 million. The post Russian trio indicted for allegedly running bulletproof hosting providers that spurred cybercrime appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Media Land / ML.Cloud (Bulletproof Hosting Trio)
## Attribution & Identity
**Identified Individuals:**
* **Alexander Alexandrovich Volosovik (43):** Owner of Media Land.
* **Yulia Vladimirovna Pankova (29):** Owner of ML.Cloud.
* **Kirill Andreevich Zatolokin (34):** Associate/Principal in the criminal enterprise.
**Associated Entities:**
* **Media Land:** A bulletproof hosting provider.
* **ML.Cloud:** A bulletproof hosting provider.
**Known Associations:**
* Based in **St. Petersburg, Russia**.
* Linked to "government-linked associates" (per State Department reward offer).
* Associated with various unnamed ransomware gangs and cybercriminal marketplaces.
## Activity Summary
The actors operated "bulletproof" hosting services—infrastructure designed to ignore abuse complaints and resist takedown requests. Since at least 2019, they provided the backend infrastructure used to launch cyberattacks against critical infrastructure. Their services facilitated malware distribution, ransomware extortion, phishing, and brute-force attacks. These activities resulted in documented losses exceeding **$62 million**. Following a multi-year investigation, the trio was indicted in July 2026, following international sanctions imposed in late 2025.
## Tactics, Techniques & Procedures
* **Bulletproof Hosting:** Providing stable, takedown-resistant server space for illicit activities.
* **Technical Support:** Directly assisting cybercriminals in infecting systems with malware.
* **Identity Obfuscation:** Using infrastructure to hide the real-world identities and locations of attackers.
* **Phishing Support:** Hosting platforms and domains specifically designed for credential harvesting.
* **Brute-Force Infrastructure:** Supporting systems that automate login attempts against targeted organizations.
* **Marketplace Hosting:** Operating servers for criminal marketplaces where stolen data and illegal services are traded.
* **Anonymity Services:** Providing a "safe haven" for laundering criminal proceeds (conspiracy to commit money laundering).
## Targeting
* **Sectors:** Critical Infrastructure, Government, Financial Services.
* **Geography:**
* **United States:** Spanning 21 states (notably including the Northern District of Ohio).
* **International:** United Kingdom, Australia, Canada, United Arab Emirates, and the European Union.
* **Victims:** Critical institutions and various unnamed organizations globally.
## Tools & Infrastructure
* **Infrastructure:**
* Media Land (Bulletproof Hosting)
* ML.Cloud (Bulletproof Hosting)
* **Malware Families:** General support for various **Ransomware** and **Malware-as-a-Service** (MaaS) families.
* **Supporting Services:** Fraudulent domain registrations used for phishing and C2.
## Implications
This case highlights the strategic role of "Bulletproof Hosting" as a foundational layer of the cybercrime economy. By providing a secure operational base for state-sponsored or high-level criminal actors, Media Land and ML.Cloud lowered the barrier for entry for devastating attacks on Western critical infrastructure. The $10 million State Department reward suggests these actors may have provided a "protective shield" for Russian state-aligned activity, effectively functioning as an extension of foreign influence operations by sheltering destructive cyber elements.
## Mitigations
* **Infrastructure Blacklisting:** Proactively block network traffic associated with known bulletproof hosting providers and their ASN ranges (Media Land/ML.Cloud).
* **Geofencing:** Implement strict geographic filtering for traffic originating from St. Petersburg-based IP ranges if no legitimate business need exists.
* **Anti-Phishing Controls:** Implement FIDO2-compliant multi-factor authentication (MFA) to neutralize the phishing and brute-force services facilitated by these providers.
* **Threat Intelligence Integration:** Ingest Indicators of Compromise (IoCs) related to sanctioned Russian hosting providers into SIEM/EDR platforms to detect persistent connections to high-risk infrastructure.