Russian infrastructure for supporting crypto extortionists has been exposed

The US Department of the Treasury, in conjunction with Australian and British authorities, has announced sanctions against Media Land, a Russian company that provides so-called “bulletproof hosting.” Such services help hide websites and servers used by criminals to spread viruses, ransomware, and other forms of cybercrime. GetBlock AML Research publishes details of the operation.

Several related companies and individuals have also been sanctioned, including Media Land director Alexander Volosovik. According to the authorities, he advertised these services on underground internet forums under the pseudonym Yalishanda.

The sanctions also affected Hypercore Ltd., which the US authorities consider to be a “front company” for the Aeza group, another major secure hosting provider that had already been added to the US sanctions list (in the summer of 2025) and the UK sanctions list (today). After being added to the sanctions list, Aeza attempted to conceal its activities by changing its name and disguising its ownership structure. As a result, two new successor companies were sanctioned, as well as Maksim Makarov, the new director of Aeza, and Ilya Zakirov, who is associated with its operations.

How Russian hosting provided services to cybercriminals: on-chain analysis

The service assisted in spreading malware to extort and steal confidential data

Читать дальше

What is bulletproof hosting?

Bulletproof hosting is a type of internet service where a company provides a platform that is difficult for law enforcement agencies to shut down or block. Unlike regular hosting services, which are required to respond to complaints and cooperate with the authorities, such companies ignore complaints and help hide illegal content and activities of their clients.

The main idea behind such services is resistance to blocking. If the police or cyber specialists try to shut down a website, bulletproof hosting can:

• quickly change IP addresses;
• move servers to another country;
• ignore official requests for blocking.

They often operate in countries where the fight against cybercrime is underdeveloped, making them difficult to stop.

Complete anonymity is an important part of their business. Customers can pay with cryptocurrency and use fake data, allowing criminals to remain undetected.

Such hosting services play a key role in cybercrime around the world. They host:

• ransomware servers,
• phishing sites,
• programs that spread malware,
• infrastructure for large botnets,
• pages that mimic banks or government services,
• dark websites for selling data, weapons, and drugs.

Media Land / Yalishanda / Volosovik

According to investigations, since 2015, Alexander Volosovik and his partners have been advertising secure hosting services under the Abushost brand on the underground forums Exploit and XSS. Abushost provided criminals with servers and IP addresses that were almost impossible to block. This made such services an ideal platform for ransomware, data theft, and other online crimes.

Analytical data shows that wallets associated with Yalishanda and Abushost received more than $2 million. These wallets were linked to large groups distributing ransomware viruses, such as BlackSuit, Black Basta, LockBit, and MedusaLocker. It was also noted that the money passed through many intermediate cryptocurrency wallets and large exchanges, which shows that such hosting providers are part of a broader criminal infrastructure.

Connection between Volosovik’s address and ransomware groups. Visualization: TRM Labs

Fighting cybercrime

The stories of Media Land and Yalishanda show that companies providing hidden infrastructure are key accomplices of hackers: they create the “skeleton” for ransomware attacks, malware distribution, and mass data theft. By targeting sanctions at these technical intermediaries, authorities in various countries are trying to move from reaction to prevention — making the work of cybercriminals more expensive, more difficult, and more dangerous.