DOJ indicts Media Land trio: LockBit, BlackSuit, Play host
USAO-NDOH unsealed a Dec 2024 indictment against Volosovik ('Yalishanda'), Pankova, and Zatolokin — Media Land and ML.Cloud hosted LockBit, BlackSuit, Play. $62M losses, 21 states.
Confirmed: the U.S. Attorney’s Office for the Northern District of Ohio unsealed a December 2024 federal indictment on July 14, 2026, naming three Russian nationals and two St. Petersburg companies — Media Land LLC and ML.Cloud LLC — as the bulletproof-hosting layer behind LockBit, BlackSuit, and Play ransomware operations. Confidence on defendants, companies, charges, and victim math: as-charged in the indictment. Confidence on ransomware-family attribution: as-alleged by DOJ, untested at trial.
The three names
- Alexander Alexandrovich Volosovik, 43 — director of Media Land, advertised the service under the alias “Yalishanda”, per the DOJ Office of Public Affairs release. Confidence: as-charged.
- Yulia Vladimirovna Pankova, 29 — founder of ML.Cloud, alleged to have handled the legal and financial layer for the operation. Confidence: as-charged.
- Kirill Andreevich Zatolokin, 34 — alleged to have collected customer payments. Confidence: as-charged.
All three are charged with conspiracy to commit and aid and abet computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering, per the USAO-NDOH release. All three remain in Russia. Unconfirmed on any extradition posture — treat accordingly.
What Media Land actually sold
Bulletproof hosting is dedicated infrastructure that ignores abuse complaints and law-enforcement takedown requests by design. Media Land is charged as the operational front — the servers customers rented and pointed their command-and-control at. ML.Cloud is charged as the payments and legal-cover layer that made the servers rentable at scale.
The named customer roster in the indictment: LockBit, BlackSuit, and Play. All three are prolific extortion operators whose intrusions the FBI and CISA have been advisories-deep on for years. LockBit alone racked up thousands of victims before its February 2024 takedown; BlackSuit and Play both remain active. Confidence on the customer list: as-alleged.
Physical infrastructure spanned Russia, China, Finland, the Netherlands, and the United States, per the DOJ release. That last one matters — servers on U.S. soil are servers a U.S. court can reach on a warrant, and seven years of that reach is the evidentiary spine the indictment is built on.
Victim math
Per USAO David M. Toepfer’s statement: victims in Ohio and 20 additional states, spanning banks, schools, government entities, hospitals, and media companies. DOJ puts aggregate losses at more than $62 million. Confidence: as-alleged.
That $62M is the reported floor from the case file, not a ceiling on Media Land’s total customer damage — ransomware losses in the criminal-record sense track only what victims formally documented, and the extortion economy is systematically under-reported. The real number is larger. Not knowable from this indictment.
This is layered on top of the November 2025 sanctions
All three defendants and both companies were already sanctioned in November 2025 in a joint action by the United States, United Kingdom, and Australia. OFAC’s finding at that time flagged Media Land infrastructure as used for DDoS against U.S. critical infrastructure, including telecommunications — a distinct offense from the ransomware-hosting charge but consistent with the pattern of bulletproof hosts renting to anyone paying.
The July 2026 EU and UK joint cyber sanctions package extended the designations further, per contemporaneous reporting from BleepingComputer. This week’s indictment is the criminal-charge track catching up to the sanctions track — the same operational pattern that produced yesterday’s OFAC 1VPNS designation and the November 2025 tri-national action against these same defendants. Two enforcement tools, one target category.
Reward and next moves
The State Department is offering up to $10 million under Rewards for Justice for information identifying foreign-government links to Media Land or its operators — a standard hook when defendants are out of reach. That figure is only relevant to a very narrow audience; noted for the record.
The indictment was returned in December 2024 and sat sealed for roughly nineteen months while the seven-year investigation ran to ground. That gap is normal — indictments unseal on the operational calendar, not the docket calendar — but the practical read for defenders is that Media Land’s infrastructure has been under federal observation for years, and any historical incident ticket that touched Media Land or ML.Cloud IP ranges is now a document worth pulling for compliance review.
Priority call
If you handle ransomware IR, add the two company names and three individuals to your sanctions-screening data if they aren’t there already from November — the criminal charges do not change the sanctions posture, but they harden the record for any ransom-payment review your compliance team is running. If you handle threat intel, treat any active hits on Media Land or ML.Cloud infrastructure as either stale, squatted, or copy-cat rebrand and verify before scoping to the same threat model. If neither applies, this one is a note-to-file: the bulletproof-hosting layer is being burned methodically, and the enforcement tempo is picking up.
Sources
- DOJ Office of Public Affairs — “Three Russian Nationals and Two Companies Indicted for International Cybercrimes Resulting in More Than $62M in Victim Losses” — July 14, 2026.
- USAO Northern District of Ohio — “Three Russian Nationals Indicted for International Cybercrimes Resulting in More Than $62M in Losses to Victims” — July 14, 2026.
- BleepingComputer — “US charges alleged Russian bulletproof hosting service operators” — July 15, 2026.
Found this useful? Share it.


