Federal prosecutors have charged three Russian nationals with running what’s known in cybercrime circles as a “bulletproof” hosting operation, infrastructure specifically built to shield hackers from law enforcement while they attacked American businesses.
Alexander Volosovik, Kirill Zatolokin, and Yulia Pankova, all based in St. Petersburg, allegedly ran two web hosting companies, Media Land and ML.Cloud, that supplied servers and infrastructure to cybercriminals and state-linked hacking groups. Prosecutors say those services helped launch distributed denial-of-service attacks that knocked websites offline, phishing campaigns, and attacks targeting US critical infrastructure. Prosecutors actually filed the charges back in 2024, but the indictment stayed sealed until this week.
The scale is significant. According to prosecutors, hackers used Media Land and ML.Cloud’s infrastructure to target dozens of businesses spread across more than 20 states, pulling in roughly $62 million in criminal proceeds along the way. The US Treasury had already sanctioned both companies before this indictment surfaced, specifically for letting ransomware gangs including LockBit, BlackSuit, and Play operate through their networks, sanctions that legally bar American individuals and businesses from doing any business with the Russians or their companies.
What made the hosting operation valuable to criminals, prosecutors say, was the “bulletproof” label itself. The companies built their business model around resisting law enforcement takedown requests and shielding customer identities, the opposite of what a typical hosting provider promises its clients.
Don’t expect arrests anytime soon, though. Russia rarely extradites its citizens to face US charges, and law enforcement has historically only managed to catch high-value cybercrime suspects when they travel to countries with extradition agreements with Washington, something Russian nationals involved in this kind of work tend to avoid.
“These actions put the American public at risk,” said US Assistant Attorney General A. Tysen Duva in a statement, adding that the Justice Department intends to keep dismantling similar networks “at home and abroad.”
The indictment adds to a growing list of enforcement actions targeting bulletproof hosting providers, a segment of the hosting industry that exists almost entirely to service cybercrime, even as legitimate hosts race to build better security tooling for their own customers.
