US Unseals Indictment Charging Russian “Bulletproof” Web Hosts Over Cyberattacks That Netted $62 Million

A US indictment against Russian bulletproof hosting operators — law-enforcement continuation coverage this week.

Share
Editorial illustration of a server rack behind a bulletproof shield with a gavel and a broken seal, marking the US indictment of Russian hosting operators.

Key Takeaways

  • On July 14, 2026, the US Justice Department (DOJ) unsealed a December 2024 indictment charging three Russian nationals and two web-hosting firms — Media Land and ML.Cloud — with running a “bulletproof” hosting operation that prosecutors say provided infrastructure to criminal and state-backed hackers.
  • Prosecutors allege the two firms' infrastructure was used in cyberattacks that netted roughly $62 million from victims and targeted at least 42 entities across 21 US states, and the charges include hacking, conspiracy, and money laundering; the named operators are described as residing in Russia, where extradition is reportedly unlikely.
  • The unsealing extends a defender-facing enforcement arc that already includes late-2025 sanctions by the US and allies against the same firms, a State Department reward of up to $10 million for information, and a run of parallel actions against ransomware and cybercrime-support infrastructure.

A US indictment against Russian bulletproof hosting operators — law-enforcement continuation coverage this week.

WASHINGTON (DOJ) — The US Justice Department (DOJ) on July 14, 2026 unsealed a 2024 indictment charging three Russian nationals and two web-hosting firms with running a “bulletproof” hosting operation that prosecutors say supported cyberattacks netting roughly $62 million from victims. The indictment, returned in December 2024 and made public this week, names the companies Media Land and ML.Cloud and accuses their operators of hacking, conspiracy, and money-laundering offenses. Federal officials framed the action as the latest step in a sustained campaign to dismantle the infrastructure that criminal and state-backed hackers rent.

The unsealing, paired with a reward offer for information on the operators, continues a defender-facing arc of US-led enforcement against ransomware and cybercrime-support services. As the Justice Department announced, the two firms marketed themselves as shielded from law-enforcement takedown requests — the defining pitch of “bulletproof” hosting — while their infrastructure was allegedly used against dozens of American organizations. For network defenders, the significance lies less in any single named victim than in the widening enforcement perimeter now drawn around the services that make cybercrime scalable.

At a Glance
FieldDetails
AuthorityUS Department of Justice (DOJ)
ActionDecember 2024 indictment unsealed July 14, 2026
ChargedThree Russian nationals; two web-hosting firms (Media Land, ML.Cloud)
Named operatorsAleksandr Volosovik, Kirill Zatolokin, Yulia Pankova (per DOJ and reporting)
Alleged proceedsRoughly $62 million from cybercrime
ScopeAt least 42 entities across 21 US states (per DOJ)
ChargesHacking, conspiracy, money laundering
Prior actionUS, UK, and Australia sanctions in late 2025
IncentiveUp to $10 million reward for information (Rewards for Justice)

What the DOJ Unsealed

The indictment, returned by a grand jury in December 2024 and unsealed on July 14, 2026, names three Russian nationals — identified in the charging documents and in reporting as Aleksandr Volosovik, Kirill Zatolokin, and Yulia Pankova — as the operators of Media Land and ML.Cloud. According to SecurityWeek, the firms' infrastructure spanned multiple countries and was, in the DOJ's account, offered as “bulletproof” hosting to a wide range of threat actors, from profit-driven gangs to state-sponsored groups. Prosecutors say the platforms hosted activity spanning phishing, distributed denial-of-service operations, and ransomware, alongside cybercrime marketplaces and forums — categories the department lists to characterize the alleged support role rather than to detail any single operation.

The charges themselves — hacking, conspiracy, and money laundering — target the operators' alleged role in enabling and profiting from that activity, not the deployment of any specific payload. In a statement accompanying the unsealing, a senior Justice Department official said the firms' conduct “put the American public at risk” and pledged that authorities would “continue to dismantle these networks and protect our critical infrastructure from cybercriminals at home and abroad.” The framing mirrors recent US cases that pursue the people and companies behind cybercrime infrastructure, such as the Void Blizzard indictment brought earlier this year.

Continuation Context: From the First VPN Service Sanctions to the UK Coms Charges

The Media Land and ML.Cloud case does not stand alone. It lands within days of the US Treasury's sanctions on First VPN Service and a malware-cryptor seller, another action aimed at the shared support layer of the cybercrime economy rather than at a single ransomware brand. It also parallels the UK charges against five people linked to a Russian “Coms” fraud network, part of a coordinated transatlantic push to hold cyber-enabled fraud and its enablers accountable.

Read together, the three actions describe a consistent strategy: attack the ransomware and cybercrime supply chain at every layer authorities can reach — the anonymity providers, the obfuscation sellers, the fraud call centers, and the hosting firms that keep criminal operations online. Bulletproof hosting sits at the base of that stack, because takedown-resistant infrastructure is the precondition for much of what runs on top of it. Naming its operators, rather than only the affiliates who rent from them, is the point.

The $62 Million Figure and the Affected Businesses

The headline number — roughly $62 million — describes the proceeds prosecutors attribute to the cybercrime that flowed through the two firms' infrastructure, TechCrunch reported. According to the DOJ's account, the hosting supported attacks on at least 42 entities across 21 US states, causing tens of millions of dollars in losses to American businesses. The figure is an allegation set out in the indictment, not a court finding, and the government will have to prove it at any trial.

For defenders, the scope matters more than the precise dollar total. A single hosting operation implicated in incidents across nearly two dozen states illustrates how concentrated the criminal-services market is: a small number of takedown-resistant providers can sit behind a large and geographically dispersed set of intrusions. That concentration is exactly what makes the hosting layer an attractive enforcement target — disrupting one provider degrades the economics for many downstream operators at once.

Sanctions and Diplomatic Tie-Ins

The indictment is not the first official action against these firms. In late 2025, the United States and its allies — including the United Kingdom and Australia — announced coordinated sanctions against the operators and companies, part of a broader package targeting Russian cybercrime infrastructure. Those designations generally bar US persons from transacting with the named parties and freeze any property within US jurisdiction, the same financial-pressure logic behind actions like the First VPN Service sanctions and asset-tracing operations such as Europol's Audi A6 crypto-laundering takedown.

Alongside the unsealing, the State Department's Rewards for Justice program announced an offer of up to $10 million, and possible relocation, for information on the Media Land and ML.Cloud operators. That incentive tacitly acknowledges a hard limit: the defendants are described as residing in Russia, and extradition to the United States is reportedly unlikely. The combination — sanctions, indictment, and reward — is the now-familiar toolkit US authorities deploy when the suspects are beyond easy reach, echoing enforcement patterns seen in operations from Europol's first-of-its-kind VPN takedown to the wider Operation Endgame 2.0 actions against ransomware-supply-chain servers and operators.

Open Questions

Several specifics are not established by the unsealing as reported. Whether the charges are accompanied by cryptocurrency-wallet designations or additional forfeiture actions is not confirmed here and is treated as unknown pending the primary record. The particular ransomware or fraud operations that reportedly relied on Media Land and ML.Cloud are not itemized in a way this report can independently verify, and the identities beyond the three named operators are not established.

It is also unclear whether the case will advance beyond the indictment stage. With the defendants reportedly outside the reach of US extradition, the practical effect may rest on financial pressure, reputational exposure, and any operational disruption that accompanies the legal action rather than on arrests. As with any fresh enforcement announcement, the framing rests on the government's own account, corroborated by independent reporting, and details may sharpen as the case proceeds.


The CyberSignal Analysis

The facts above are drawn from the DOJ's action and its reporting; what follows is The CyberSignal's editorial reading of what defenders and policy watchers should take from it. None of the judgments below are new reported facts.

Signal 01 — Enforcement Is Converging on the Hosting Layer

The durable read is not that three more Russian nationals were charged, but where in the ecosystem they sit. Media Land and ML.Cloud are not a ransomware crew; they are alleged to be the takedown-resistant foundation many crews rent. Our assessment: US and allied enforcement has deliberately shifted toward that base layer because it is the highest-leverage target — a diffuse set of affiliates is hard to reach, but the small number of hosting providers they depend on is far more concentrated and identifiable.

For defenders, the inference is to keep watching the infrastructure that recurs across unrelated intrusions. Bulletproof hosts, anonymity services, and obfuscation sellers are where both the criminal economy and the state response are concentrating, and threat models that map those chokepoints will track enforcement better than ones organized around individual malware families.

Signal 02 — Sanctions, Indictment, and Reward Are a Single Combined-Pressure Play

The under-appreciated detail is the sequencing. These firms were sanctioned by the US and allies in late 2025; now comes a public indictment and a $10 million reward. Our reading: this is not three separate events but one layered campaign — designations cut off the legitimate financial system, the indictment builds a legal record and names the operators, and the reward crowdsources leads that arrests abroad cannot easily generate.

The takeaway for policy watchers is that the absence of an arrest is not the same as the absence of consequences. Each instrument compounds the others: sanctions raise the cost of cashing out, an unsealed indictment constrains travel to extradition-friendly countries, and a reward keeps the operators looking over their shoulders. The measure of success is cumulative friction, not a perp walk.

Signal 03 — Extradition Limits Push the Payoff Toward Disruption and Deterrence

Sanctions and indictments do not seize servers or make arrests, and operators based in Russia can, in principle, continue or rebrand. Our assessment: the value of this action is therefore weighted toward deterrence and toward whatever operational disruption accompanies it — signaling to the next hosting operator that a “bulletproof” pitch invites coordinated, multi-country attention.

The watch item is durability. If Media Land and ML.Cloud simply resurface under new branding with the same customers, the deterrent effect will have been limited; if the naming, the reward, and any technical disruption measurably raise the ecosystem's costs, the hosting-layer strategy will have proven itself. That outcome, not the unsealing itself, will ultimately grade this case.


Sources

TypeSource
PrimaryUS Department of Justice — Three Russian Nationals and Two Companies Indicted (press release)
ReportingTechCrunch — US charges Russian 'bulletproof' web hosts over cyberattacks that netted $62M
ReportingSecurityWeek — US Charges Russian Individuals and Firms for Running Cybercrime Services
ReportingThe Record — US unseals indictment against alleged operators of Russian bulletproof hosting service
RelatedThe CyberSignal — US Treasury Sanctions First VPN Service, Malware Cryptor Seller
RelatedThe CyberSignal — UK Charges Five Over Russian 'Coms' Fraud Network