Executive Summary and Provider Overview
Quick-Reference Attributes
| Common Names | Media Land LLC; Yalishanda; Abushost; ML.Cloud LLC; Media Land Technology; Data Center Kirishi; real-hosting[.]biz (historic) |
|---|---|
| Node Type | Bulletproof Hosting Provider |
| Status | Degraded AS206728 active as of June 2026; sanctions imposed November 19, 2025; no physical seizure confirmed |
| PRODAFT Designation | LARVA-34 |
| Entity Registration Jurisdiction | Russia: Media Land LLC registered St. Petersburg, October 2015; Data Center Kirishi registered Leningrad Oblast, July 2022; ML Cloud and Media Land Technology also Russia-registered |
| Infrastructure Hosting Jurisdiction | Russia: St. Petersburg (primary); Data Center Kirishi, Kirishi, Leningrad Oblast (own physical DC per Zatolokin/Analyst1) |
| Assessed Operator Location | Russia: St. Petersburg (Volosovik, assessed; relocated from Vladivostok approximately 2018 per Intel 471/Krebs) |
| Active Period (Yalishanda brand) | ~2009 to present (approximately 15+ years confirmed active) |
| Active Period (Media Land LLC) | October 2015 to present (registered entity) |
| Primary ASN | AS206728: MEDIALAND-AS (RIPE, registered 2016-11-17; active as of June 6, 2026) |
| Secondary ASN | AS211805: Media Land LLC (RIPE; additional AS per IPinfo data) |
| IPv4 Prefixes (AS206728) | 45.141.84.0/24 (ML Cloud); 45.141.85.0/24 (Media Land); 45.141.86.0/24 (ML Cloud); 45.141.87.0/24; 91.220.163.0/24 (Media Land); 193.242.153.0/24; 194.26.29.0/24 (Media Land); 194.26.69.0/24 (Media Land) |
| IPv6 Prefixes | 2a0b:7ec0:1320::/48; 2a0b:7ec0:7701::/48 |
| Upstream / BGP Peers | AS49531 (NetCom-R LLC, Russia); AS20632 (MegaFon, Russia); AS202799 (SYSECT D.O.O., Montenegro); AS51538 (Lavrentyev Aleksandr Arkadievich, Russia); historical RIPE IRR: AS3216 (Vimpelcom/Beeline), AS9049 (ERTH Corporation JSC) |
| RIPE Maintainers | mnt-ru-media-land-1; media-land-llc; NETWORK-SUPPORT-MNT; RIPE-NCC-END-MNT |
| Abuse Contact | Not publicly disclosed in RIPE WHOIS (personal data removed per RIPE GDPR policy) |
| Confirmed Ransomware Clients | LockBit, BlackBasta, BlackSuit, Play, Evil Corp (CONFIRMED per OFAC/UK FCDO); MedusaLocker (CREDIBLE per TRM Labs) |
| Bitcoin Address (OFAC) | 18dLDAWi8LmrHbEq3QzDJb9SLxCf4uimXB (designated, Volosovik) |
| Blocklist Status | Spamhaus SBL/CBL: Confirmed listed (2019 community references, ongoing); DROP/EDROP: Probable; abuse.ch: Probable; specific current entry IDs not confirmed via open sources |
| Sanctions | OFAC CYBER3 (E.O. 13694 as amended); UK FCDO Cyber Sanctions; AU DFAT: all November 19, 2025 |
| State Nexus Tier | Tolerated Safe Harbor (Tier 2 of 4) |
Overall Assessment
Media Land LLC, operating under the long-standing underground brand "Yalishanda," is one of the most documented and longest-running Russian bulletproof hosting (BPH) providers in the threat landscape, with confirmed activity spanning approximately 2009 to present. Its principal, Aleksandr Alexandrovich Volosovik (DOB January 30, 1983), was publicly identified by name in a KrebsOnSecurity investigation in July 2019 and formally sanctioned alongside three associates and four corporate entities by the United States, United Kingdom, and Australia on November 19, 2025.
The provider's infrastructure is consolidated under AS206728 (MEDIALAND-AS) and a secondary AS211805, hosting approximately 2,048 IPv4 addresses in eight /24 prefixes. Its wholly-owned subsidiary Data Center Kirishi, registered in Kirishi (Leningrad Oblast) in July 2022, is assessed to represent an owned physical data center rather than leased rack space, making Media Land one of few Russian BPH operators with confirmed on-premises hardware. Zatolokin confirmed as much in direct communications with BlackBasta client contact "gg": "This is all our own: our own data center, our own hardware."
Forensic corroboration comes from two converging leak events: the February 2025 BlackBasta internal chat leak (ExploitWhispers) and the March 28, 2025 leak of Media Land's own internal database. Analyst1's "Infrastructure in the Shadows" report (January 2026) links these datasets to map BlackBasta's 200-server deployment on Media Land infrastructure, consuming 17-20 Gbps bandwidth, and traces $94,000 USDT in salary payments from BlackBasta operator "gg" to Media Land infrastructure staffer "lapa." TRM Labs independently traced over $2 million in on-chain volume across Yalishanda/Abushost-linked addresses, with flow intersections across BlackSuit, BlackBasta, LockBit, and MedusaLocker.
Post-sanctions, AS206728 remains active per BGP data as of June 6, 2026. No arrests have been made, no servers have been seized, and no confirmed rebranding or infrastructure migration has been publicly documented. The operational status is assessed as Degraded: sanctions reduce the provider's access to Western payment rails and may impair client confidence, but the underlying infrastructure and operator network remain intact.
Lineage and Organizational Heritage
Entity and Brand Timeline
| Brand / Entity | Type | Role | Period | Confidence |
|---|---|---|---|---|
| Yalishanda | Underground brand / persona | Primary criminal trading name; used on Exploit, XSS, and predecessor forums to advertise BPH services | ~2009 to present | Confirmed |
| real-hosting[.]biz | Early BPH domain | Service advertised circa 2011 under Yalishanda persona; accepted botnets, malware, adware, exploits, IRC | ~2011 | Confirmed |
| abushost[.]ru / Abushost | Long-lived BPH brand/domain | One of Yalishanda's most durable service brand names; advertised on Exploit[.]in and XSS[.]pro alongside associate "podzemniy1" per TRM Labs | ~2015 onward | Confirmed |
| Media Land LLC (ООО Медиа Лэнд) | Russian LLC (OOO) | Legitimate-appearing legal entity registered to provide surface-level credibility; used to sign contracts, lease IP ranges, and employ staff; 100% owned by Volosovik | Registered October 2015 to present | Confirmed |
| ML Cloud LLC (ML.Cloud) | Russian LLC | Sister company; technical infrastructure used in conjunction with Media Land in ransomware and DDoS operations; co-operated by Volosovik and Zatolokin per AU Government | Active (dates not confirmed) | Confirmed |
| Media Land Technology (MLT) | Russian LLC (100% subsidiary) | Wholly owned subsidiary of Media Land LLC; described by OFAC as subsidiary; likely used as infrastructure or services wrapper | Active (dates not confirmed) | Confirmed |
| Data Center Kirishi (DC Kirishi) | Russian LLC (100% subsidiary) | Wholly owned subsidiary of Media Land LLC registered July 2022; confirmed own physical data center in Kirishi, Leningrad Oblast; provides own hardware to VIP clients | Registered July 2022 to present | Confirmed |
| AS206728 (MEDIALAND-AS) | Autonomous System, RIPE | Primary network backbone for Media Land; registered November 2016; currently 8 IPv4 prefixes / 2,048 IPs | Registered Nov 17, 2016; active | Confirmed |
Predecessor Lineage and Early History
Yalishanda's criminal activity is confirmed from approximately 2009 and assessed to extend back to the late 2000s. KrebsOnSecurity first encountered the persona in 2010 in connection with "Fizot," a botnet anonymization service using TDSS-infected Windows machines. A 2010 domain registration for mo0be-world[.]com linked to email address [email protected] and the name Aleksandr Volosovyk provided the first documented link between the criminal persona and a real identity. [1]
By 2011 Yalishanda was actively advertising under real-hosting[.]biz, offering hosting for botnets (Zeus), malware, adware, exploits, pharma, and IRC. He subsequently rebranded services through multiple iterations, with abushost[.]ru becoming a particularly durable brand. Intel 471 and Cisco researchers identified Yalishanda as a "top tier" BPH provider in a Black Hat 2017 talk, noting that in a single 90-day period in 2017 his infrastructure hosted Dridex, Zeus, and multiple ransomware families. By this point Yalishanda had relocated from Vladivostok to St. Petersburg (approximately 2018 per Intel 471), registered Media Land LLC in October 2015, and was professionalizing operations by employing staff under the legitimate company structure. [1][7]
Evidentiary Pillars
Confirmed Volosovik's identity as Yalishanda is established through: (1) 2010 domain registration linking [email protected] to Aleksandr Volosovyk; (2) 2010 passport scan submitted to ChronoPay payment processor confirming full name, DOB, birthplace; (3) Rusprofile.ru business registry listing Volosovik as director of Media Land LLC (St. Petersburg); (4) OFAC/UK FCDO/AU DFAT formal designation November 2025; (5) REvil forum member "Unknown" referring to Volosovik by first name "Sasha" in a 2019 arbitration thread on XSS forum. [1][3][7]
Confirmed On March 28, 2025, an unknown actor leaked Media Land's internal database containing server configurations, client purchase history, user account data, and cryptocurrency addresses. Volosovik acknowledged the breach on a hacking forum, validating the authenticity of the leaked material. PRODAFT (designating the provider LARVA-34) assessed the leak as providing rare high-value insight into criminal infrastructure. [4][5]
Operator Profiles
2.1 Aleksandr Alexandrovich Volosovik: Principal Operator
| Full Name | Aleksandr Alexandrovich Volosovik (Александр Александрович Волосовик) |
|---|---|
| Date of Birth | 30 January 1983 |
| Place of Birth | Brovary, Kyiv Oblast, Ukraine (confirmed via passport; assessed to have relocated to Russia as a child, before 1990) |
| Citizenship | Russian Federation |
| Handle History | Yalishanda (primary; Mandarin for "Alexander"); Downlow; Stas_vl; associated domain [email protected] |
| Education | School No. 80, Vladivostok (1990-2000); Far Eastern State Technical University (ДВГТУ), Institute of Mechanics, Automation and Advanced Technologies, specializing in Automated Production Systems in Mechanical Engineering: graduated 2005 |
| Geography | Brovary, Ukraine (birth); Vladivostok, Russia (school/university); Beijing, China (documented period, passport issued by Russian Embassy Beijing); St. Petersburg, Russia (current, relocated approximately 2018) |
| Criminal Onset | Approximately 2009 (confirmed criminal activity); late 2000s assessed (Krebs: "decade already" as of 2019) |
| Assessed Location | St. Petersburg, Russia (assessed; confirmed registered director of St. Petersburg entity; not arrested) |
| Legal Status | At large; no arrest, indictment, or criminal charges; sanctioned by OFAC, UK FCDO, AU DFAT November 19, 2025 |
| OFAC Designation Basis | E.O. 13694 (as amended by E.O. 13757, 14144, 14306) for cyber-enabled activities reasonably likely to result in a threat to US national security, foreign policy, or economic health |
| Sanctioned BTC Address | 18dLDAWi8LmrHbEq3QzDJb9SLxCf4uimXB |
2.2 Kirill Andreevich Zatolokin: Operations / Customer Support Lead
| Full Name | Kirill Andreevich Zatolokin (Кирилл Андреевич Затолокин) |
|---|---|
| Date of Birth | 30 April 1992 |
| Origin | Vladivostok, Russia: graduated School No. 23 (МОУ СОШ 23), Vladivostok, 2009 |
| Education | Beijing Institute of Fashion Technology, enrolled 2009; documented physically present in Beijing at least through 2014 |
| Handle | Slim Shady |
| Contact | Telegram @ohyehhellno (operational contact for Yalishanda clients, observed from at least November 2018) |
| Known Emails | [email protected]; [email protected] |
| Operational Role | Responsible for collecting payment from customers; coordinating with cyber actors; primary customer support interface for Yalishanda services; direct liaison to BlackBasta (via gg) per leaked chats |
| Connection to Volosovik | Both from Vladivostok; both spent time in Beijing: assessed to have met in Beijing, no earlier than May 2014 per Analyst1 |
| Legal Status | At large; sanctioned OFAC/UK FCDO/AU DFAT November 19, 2025 |
2.3 Yulia Vladimirovna Pankova
| Full Name | Yulia Vladimirovna Pankova |
|---|---|
| DOB / Location | Unknown |
| Assessed Role | Legal and financial associate to Volosovik; described by OFAC as having assisted Volosovik with legal issues and having handled his personal finances |
| Relationship to Volosovik | Personal relationship confirmed via OFAC photo release (Figure 2, sb0319) |
| Legal Status | At large; sanctioned OFAC/UK FCDO November 19, 2025 as having materially assisted Volosovik |
2.4 Andrei Valerevich Kozlov
| Full Name | Andrei Valerevich Kozlov |
|---|---|
| DOB / Location | Unknown |
| Assessed Role | Employed by or associated with Media Land LLC; OFAC does not specify function; grouping with MLT/DC Kirishi entities in sanctions documentation suggests possible management role in subsidiary operations |
| Legal Status | At large; sanctioned OFAC/UK FCDO November 19, 2025 |
2.5 "lapa": Infrastructure Staff (Alias Only)
| Handle | lapa |
|---|---|
| Real Identity | Not published: anonymous source behind BlackBasta leak suggested an identity; Analyst1 declined to publish pending LE confirmation |
| Role | Managed key parts of BlackBasta's infrastructure; procured SOCKS proxies for BlackBasta operations; received salary payments from BlackBasta operator gg totaling $94,000 USDT |
| USDT Address | 0xa0A7d2C6b288927cf73a5cf59970373262ea73c6 (received payments from gg at 0xB54c17E5ea215f45A61E8790cf546AD175Af2Cf0) |
| Legal Status | Not sanctioned; identity not publicly confirmed by LE |
Disputed Assessments
No vendor disputes the attribution of Yalishanda to Volosovik or the linkage between Yalishanda and Media Land LLC. The primary open question is the precise functional role of Kozlov and the corporate function of Media Land Technology; OFAC's designation basis (ownership by Media Land LLC) is clear but Kozlov's specific job title or seniority is not in the public record. Pankova's personal relationship to Volosovik is inferred from the OFAC photo release but not explicitly stated in the sanctions text.
Operational and Business Model
Service Model
Media Land/Yalishanda operated as a full-stack bulletproof hosting provider delivering servers, IP addresses, SOCKS proxies, and DDoS-resistant hosting to cybercriminal clients. The provider's core value proposition is identical to that of other Russian BPH operators but distinguished by longevity, owned physical infrastructure, and the ability to accommodate VIP-scale deployments. Key service components: dedicated servers from owned DC, virtual servers, SOCKS proxy services, and technical troubleshooting. The provider's own-hardware DC, marketed as superior to "public" hosting where networks are "simply rented," was used as a competitive differentiator with high-value clients. [3][4]
Total non-cooperation with law enforcement and abuse reporters is the explicit and advertised posture. Forum advertising explicitly names Spamhaus as an ignored organization. [1][3]
Verbatim Advertising Copy
Onboarding and Client Tiers
Forum-based advertising on Exploit[.]in, XSS[.]pro, and predecessor platforms constitutes the primary acquisition channel. Customer support was handled via Telegram (@ohyehhellno, Zatolokin) and Jabber contacts, both consistently listed in advertising posts. No invitation-only or referral requirement documented in open sources.
A two-tier client structure is evident from leak data: standard clients interacted with customer support via forum-advertised channels; VIP clients such as BlackBasta had direct relationships with Zatolokin for custom deployments, bandwidth negotiations, and capacity planning. VIP status provided access to owned DC hardware, custom bandwidth agreements, and dedicated account management. [3]
Pricing (Partial)
Full price list not confirmed in open sources. From BlackBasta leaked chat context (Analyst1): standard plan included 20 Gbps bandwidth per 100 servers; overage priced at $4,000 per additional 10 Gbps. A 200-server BlackBasta deployment consuming 17-20 Gbps was flagged as unsustainable at existing pricing. Cryptocurrency-only payment. [3]
Abuse-Handling and LE Posture
Total non-cooperation is the confirmed and advertised posture, including explicit naming of Spamhaus as ignored. No documented instance of Media Land/Yalishanda responding to abuse complaints or cooperating with law enforcement requests over 15+ years of operation. The 2020 arbitration refund incident is the only documented instance of customer dispute resolution, and even that was conducted through a bare transactional response with no acknowledgment. [1][3]
OPSEC
Volosovik registered Media Land LLC as a legitimate Russian entity to provide surface-level commercial legitimacy, enabling contract signing, IP leasing, and employment of staff. The corporate structure creates a legal separation between the Yalishanda underground brand and a nominally registered company. Volosovik's VKontakte and Odnoklassniki profiles used partial real-name attribution, suggesting confidence in the Russian legal operating environment rather than technical OPSEC discipline. Staff (Zatolokin, lapa) operated under pseudonyms while the principal's identity was quasi-public in underground circles for at least a decade before formal sanctions.
Technical Capabilities and Infrastructure Footprint
Autonomous System
| ASN | Name | RIR | Country | Registered | Status |
|---|---|---|---|---|---|
AS206728 | MEDIALAND-AS | RIPE | Russian Federation | 2016-11-17 | Active (June 6, 2026) |
AS211805 | Media Land LLC | RIPE | Russian Federation | Unknown | Active (IPinfo data) |
IPv4 Prefix Table (AS206728)
| Prefix | Registered Description | RPKI | IRR |
|---|---|---|---|
45.141.84.0/24 | ML Cloud LLC | Valid | Valid |
45.141.85.0/24 | Media Land LLC | Valid | Valid |
45.141.86.0/24 | ML Cloud LLC | Valid | Valid |
45.141.87.0/24 | Grisha Maslinikov | Valid | Valid |
91.220.163.0/24 | Media Land LLC | Valid | Valid |
193.242.153.0/24 | IT Outsourcing LLC | No ROA | Valid |
194.26.29.0/24 | Media Land LLC | Valid | Valid |
194.26.69.0/24 | Media Land LLC | Valid | Valid |
IPv6 Prefixes (AS206728)
| Prefix | Registered Description | RPKI |
|---|---|---|
2a0b:7ec0:1320::/48 | Media Land LLC | Valid |
2a0b:7ec0:7701::/48 | Media Land LLC | Valid |
Upstream Transit Chain
AS206728 current BGP peers observed (Hurricane Electric BGP Toolkit, June 6, 2026):
| Peer ASN | Entity | Country | Role |
|---|---|---|---|
AS49531 | NetCom-R LLC | Russian Federation | IPv4 and IPv6 upstream peer |
AS20632 | PJSC MegaFon | Russian Federation | IPv4 upstream peer (major Russian carrier) |
AS202799 | SYSECT D.O.O. | Montenegro | IPv4 upstream peer |
AS51538 | Lavrentyev Aleksandr Arkadievich | Russian Federation | IPv4 upstream peer |
Historical RIPE IRR records show import/export relationships with AS3216 (Vimpelcom/Beeline, major Russian tier-1 carrier) and AS9049 (ERTH Corporation JSC). These may represent earlier transit arrangements prior to current peer configuration.
Confirmed: No documented de-peering events for AS206728 in open sources. Unlike PROSPERO (AS200593, Bearhost), which attracted public attention when Kaspersky Lab was identified as an upstream provider in 2025, no equivalent upstream controversy has been publicly reported for MEDIALAND-AS.
Physical Infrastructure
Confirmed Data Center Kirishi (100% subsidiary of Media Land LLC, registered July 2022, Kirishi, Leningrad Oblast) is assessed to represent an owned physical data center, not leased rack space in a third-party facility. Zatolokin directly stated to BlackBasta client "gg": "our own data center, our own hardware." This constitutes a structural differentiator from most Russian BPH operators who lease upstream capacity. [3]
Confirmed Standard plan: 20 Gbps per 100 servers on owned hardware. Documented BlackBasta deployment: approximately 200 servers consuming 17-20 Gbps with plans to scale to 50 Gbps. [3]
Hosted Activity Types
From PRODAFT LARVA-34 analysis and Media Land leak data (March 2025), confirmed hosted activity categories:
- Malware command-and-control (C2) servers
- Code-signing infrastructure
- Phishing kit hosting
- Data exfiltration panels
- Ransomware operational platforms (BlackBasta confirmed)
- Data leak site hosting
- Underground marketplace infrastructure
- DDoS botnet infrastructure (confirmed in OFAC press release: attacks against US telecom)
- SOCKS proxy networks (purchased and layered over Media Land servers by BlackBasta)
Blocklist Standing
| List | Status | Evidence |
|---|---|---|
| Spamhaus SBL | Listed (confirmed) | SBL and CBL listings noted by community on 2019 Krebs article; advertising explicitly claims to ignore Spamhaus, confirming ongoing listing relationship |
| Spamhaus CBL | Listed (confirmed) | Noted in 2019 KrebsOnSecurity article comments by security researchers examining IP ranges |
| Spamhaus DROP / EDROP | Probable | EDROP covers cybercriminal-controlled IP space; no direct confirmation for current state; probable given operator sanctions status |
| abuse.ch Feodo Tracker | Probable | Confirmed C2 hosting in IP ranges; direct entry IDs not confirmed in open sources |
| abuse.ch URLhaus | Probable | Phishing and malware URLs from these ranges documented; entry-level confirmation via multiple reports |
| abuse.ch MalwareBazaar | Unknown | No direct confirmation in open sources |
| Firehol | Probable | No direct confirmation; range behavior and CBL/SBL status strongly suggest inclusion |
Known Weaknesses
Infrastructure concentration: all prefixes under a single ASN (AS206728) makes AS-level blocking straightforward for defenders. The AS has relatively few upstream peers (4 observed), limiting routing redundancy. Ownership of physical DC hardware (DC Kirishi) creates a fixed, locatable choke point that is, in principle, subject to seizure by Russian authorities: though no Russian LE action has occurred.
Financial weakness: OFAC/UK/AU sanctions designate both the operator (Volosovik) and the Bitcoin address, restricting access to Western payment rails and exchange services. Customers transacting with sanctioned entities face secondary sanctions exposure.
Financial Infrastructure
Payment Methods
Cryptocurrency-only payment confirmed. Bitcoin (BTC) and USDT (Tether, ERC-20) documented in leak and sanctions data. No fiat payment methods documented. Anonymity enforced through cryptocurrency-only onboarding, consistent with BPH operator norms. [3][7]
Known Wallet Clusters
| Address | Currency | Attribution | Source |
|---|---|---|---|
18dLDAWi8LmrHbEq3QzDJb9SLxCf4uimXB | Bitcoin (BTC) | Aleksandr Volosovik / Media Land LLC (OFAC designation) | OFAC SDN list, November 19, 2025 [7] |
1PY4JX82rhKTSyP7ywhJgiYeVvTcpcaW8d | Bitcoin (BTC) | Yalishanda (refund address provided in 2020 arbitration case: forum public record) | Analyst1 [3] |
0xa0A7d2C6b288927cf73a5cf59970373262ea73c6 | USDT (ERC-20) | "lapa": Media Land infrastructure staffer; received $94,000 USDT salary from BlackBasta operator gg | Analyst1 / Arkham blockchain data [3] |
0xB54c17E5ea215f45A61E8790cf546AD175Af2Cf0 | USDT (ERC-20) | BlackBasta operator "gg": sending wallet for lapa salary payments | Analyst1 [3] |
On-Chain Volume
Confirmed TRM Labs documented over $2 million USD in received volume across wallets linked to Yalishanda/Abushost, with direct and indirect flow intersections across BlackSuit, BlackBasta, LockBit, and MedusaLocker operations. [7]
Confirmed Chainalysis assessed Volosovik's hosting services as supporting "nearly every component of the cyber kill chain" and identified interactions across "thousands of addresses" with "millions of dollars" in transactions, serving underground exchanges, laundering services, scammers, hackers, and ransomware operators. [6]
Three-Phase Laundering Model
Evidence from BlackBasta leak and TRM analysis supports a standard three-phase laundering model consistent with Russian cybercrime norms:
Phase 1: Receipt: Ransomware payments received in Bitcoin from victims. Yalishanda receives payment for hosting services, primarily in BTC or USDT.
Phase 2: Conversion: BlackBasta operator "gg" confirmed in leaked chats that funds paid to lapa for SOCKS procurement and salary came from money already "cleaned" by an internal laundering operation. USDT used for stable-value salary payments post-laundering. TRM identifies fund flows to "intermediary wallets and major global exchanges."
Phase 3: Cash-out: Funds moved through no-KYC exchanges and OTC desks consistent with Russian ransomware cash-out patterns. Specific cash-out venues for Media Land/Volosovik not confirmed in open sources (contrast with ZServers: Garantex documented).
Sanctions and Regulatory Risk
OFAC SDN designation: Media Land LLC, ML Cloud LLC, Media Land Technology, Data Center Kirishi (entities); Volosovik, Zatolokin, Pankova, Kozlov (individuals): all designated November 19, 2025. Volosovik's BTC address 18dLDAWi8LmrHbEq3QzDJb9SLxCf4uimXB explicitly listed on SDN. UK OFSI and AU DFAT coordinated designations on same date. All property and interests in US/UK/AU jurisdictions blocked; US persons and entities in US prohibited from transacting with designated parties. Secondary sanctions risk extends to financial institutions worldwide. [7][8][9]
Client Profile and Hosted Operations
Crimeware Verticals by Evidence Tier
| Client / Activity | Category | Confidence | Sources |
|---|---|---|---|
| LockBit ransomware infrastructure | Ransomware | Confirmed | OFAC press release sb0319; UK FCDO; Chainalysis [6][7][8] |
| BlackBasta ransomware infrastructure | Ransomware | Confirmed | Analyst1 (leaked chats + Media Land leak correlation); OFAC/UK FCDO; leaked chat data [3][7][8] |
| BlackSuit ransomware infrastructure | Ransomware | Confirmed | OFAC press release sb0319; Bleeping Computer [6][7] |
| Play ransomware infrastructure | Ransomware | Confirmed | OFAC press release sb0319; Bleeping Computer [6][7] |
| Evil Corp infrastructure | Ransomware / CaaS | Confirmed | UK FCDO / Foreign Secretary statement; Bleeping Computer (citing UK) [8] |
| MedusaLocker ransomware infrastructure | Ransomware | Credible [Single Source] | TRM Labs blockchain analysis [7] |
| Underground exchanges and laundering services | Financial crime infrastructure | Confirmed | OFAC; Chainalysis [6][7] |
| Scammers and fraud operators | Fraud | Confirmed | OFAC; Chainalysis [6][7] |
| Initial access brokers (IABs) | Access brokerage | Confirmed | OFAC; Chainalysis [6][7] |
| Malware-as-a-Service operators | MaaS | Confirmed | OFAC; PRODAFT LARVA-34 [4][7] |
| DDoS-for-hire / DDoS attack infrastructure | DDoS | Confirmed | OFAC: "multiple DDoS attacks against U.S. companies and critical infrastructure, including telecommunications systems" [7] |
| Magecart and card-skimming infrastructure | Financial fraud | Credible | KrebsOnSecurity 2019 citing active hosting of Magecart-related infra [1] |
| Cybercrime forum hosting | Forum / marketplace | Credible | KrebsOnSecurity 2019: "hundreds of dodgy sites" including cybercrime forums and stolen card shops [1] |
Client Geography
Client geography not confirmed in open sources. Given that Yalishanda advertised on Russian-language underground forums (Exploit, XSS) and the operator network is entirely Russia/CIS-based, a predominantly Russian-speaking/CIS client base is assessed. The presence of internationally active ransomware groups (LockBit, BlackBasta, BlackSuit, Play) confirms that service is not geographically restricted and supports attacks on Western targets globally.
Notable Hosted Cases
Confirmed Based on BlackBasta leaked chats correlated with Media Land internal data by Analyst1. BlackBasta maintained a ~200-server deployment on Media Land infrastructure, consuming 17-20 Gbps bandwidth with negotiated plans to expand to 50 Gbps. Infrastructure staffer "lapa" managed day-to-day operations and SOCKS proxy procurement layered over Media Land's servers. Total confirmed USDT payments to lapa from BlackBasta operator gg: $94,000 USD across five transactions (February-May 2024). [3]
Confirmed OFAC specifically notes that Volosovik's hosting services supported sanctioned LockBit administrator Dmitry Khoroshev (aka LockBitSupp). This establishes a direct confirmed link between Yalishanda infrastructure and the LockBit RaaS operation at the administrator level. [6][7]
Confirmed A REvil member posting under the handle "Unknown" (attributed to a prominent REvil operator by Analyst1) directly addressed Volosovik by his first name "Sasha" during a 2019 arbitration thread on XSS forum, demonstrating that Volosovik's real identity was known within top-tier Russian ransomware circles well before Western public exposure. [3]
State Nexus Assessment
Jurisdictional Separation
Assigned Tier: TOLERATED SAFE HARBOR (Tier 2 of 4)
Media Land/Yalishanda is assessed at Tier 2: Tolerated Safe Harbor. The Russian state is assessed to be aware of Media Land's operations and to refrain from enforcement or prosecution despite over a decade of public exposure. No evidence supports Tier 3 (active cooperation/tasking) or Tier 4 (direct state control).
Evidence Supporting Tier 2 Assessment
- Volosovik was publicly named by KrebsOnSecurity in July 2019 with full identifying information including passport scan. No Russian domestic law enforcement action followed in the subsequent six years.
- Media Land LLC has operated as a registered Russian legal entity since October 2015, filing required regulatory disclosures. Operating a criminal BPH service through a registered company is only viable if operators assess domestic prosecution risk as negligible.
- Krebs (2019) explicitly observed that "bulletproof hosting administrators operating from within Russia probably are not going to get taken down or arrested, provided they remain within that country." This assessment has been validated by Volosovik's continued at-large status through June 2026.
- The 2019 passport issuance via Russia-Beijing embassy confirms continued legitimate Russian state documentation relationship through the height of Yalishanda activity.
Negative Evidence (Against Tier 3 or 4)
- No credible reporting from any Western intelligence service, vendor, or government body asserts direct GRU, FSB, or SVR tasking of Volosovik or Media Land.
- No documented state-directed targeting of Western government entities, military networks, or critical national infrastructure specifically attributable to Yalishanda-hosted actors (beyond general ransomware ecosystem hosting).
- The provider's criminal client base is broadly commercial (ransomware affiliates, fraud operators, IABs), inconsistent with state-directed operational infrastructure which typically serves more targeted purposes.
- OFAC designated Media Land under E.O. 13694 (cyber-enabled activities), not under any Russia-state-actor-specific sanctions framework, suggesting US government assessment does not place Media Land under direct state control.
Expected indicators if Tier 3/4 existed (and are absent): documented FSB handler relationships, targeting of government rather than commercial victims, evidence of intelligence-sharing between operator and state, or classified sourcing suggesting coordinated operations. None of these indicators are present in available reporting.
Law Enforcement and Regulatory Response
Arrests and Indictments
None. As of June 2026, no individual associated with Media Land/Yalishanda has been arrested, extradited, indicted, or charged in any jurisdiction. Volosovik, Zatolokin, Pankova, and Kozlov remain at large in Russia.
Sanctions Chronology
Server Seizures
None confirmed as of June 2026. Unlike ZServers (127 servers seized in Netherlands, February 2025), no physical server seizure or infrastructure takedown has been executed against Media Land. This is consistent with the infrastructure being located entirely within Russia, outside the jurisdictional reach of Western law enforcement.
Post-Sanctions Infrastructure Status
Confirmed AS206728 remains active and advertising routes as of June 6, 2026 per Hurricane Electric BGP data. All 8 IPv4 prefixes and 2 IPv6 prefixes remain announced. No ASN deregistration, no route withdrawal, no documented client migration away from the platform confirmed in open sources.
Post-Disruption Client Migration
Analyst Inference Sanctions reduce Media Land's ability to receive payments from clients using Western-facing exchange infrastructure and may deter clients who face secondary sanctions exposure from transacting with a designated provider. However, given the Russia-based operator network and primarily Russian/CIS client base, near-term operational disruption is expected to be limited. Clients can continue transacting in cryptocurrency via peer-to-peer channels, Russian exchanges, and non-KYC services outside OFAC jurisdiction.
Five Eyes Joint Guidance
On November 19, 2025, CISA (coordinating with US, UK, Australian, Canadian, and New Zealand cyber agencies) released joint guidance titled "Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers." The guidance advised ISPs to implement high-confidence malicious resource block lists, conduct regular traffic analysis, and establish know-your-customer verification for new clients. The timing alongside Media Land sanctions confirms BPH providers were the primary target of the joint guidance release. [6][8]
Connected Groups and Ecosystem Relationships
All connected entity claims carry two-tier confidence assessed independently: Tier 1 (infrastructure relationship: did Media Land host their infrastructure?) and Tier 2 (operational relationship: did Media Land operators know the client's identity and coordinate operationally?). These are analytically distinct claims.
Trajectory Assessment
Infrastructure Churn
Confirmed AS206728 (MEDIALAND-AS) remains fully active as of June 6, 2026 per Hurricane Electric BGP data, with all 8 IPv4 prefixes and 2 IPv6 prefixes announced. No AS deregistration, prefix withdrawal, or transit provider change documented post-sanctions. Unlike Aeza Group, which immediately began a rebranding and entity restructuring strategy after its July 2025 designation, no analogous reconstitution activity has been confirmed for Media Land as of this writing. This may reflect greater operator confidence in Russian territorial protection or a deliberate assessment that the infrastructure itself is not at seizure risk.
Market Position
Media Land/Yalishanda occupies the top tier of the Russian BPH market by longevity, documented client base quality (flagship-tier ransomware operators), and the unusual distinction of owning physical data center hardware (DC Kirishi). KrebsOnSecurity's 2019 characterization of Yalishanda as potentially the "world's biggest bulletproof hoster": while likely an overstatement: reflects genuine scale. The provider has sustained operations through multiple exposure events (Krebs 2019 identification, BlackBasta and internal data leaks 2025) without operational interruption, demonstrating resilience that reflects the Russian legal operating environment rather than technical hardening.
Disruption History Assessment
Disruption record through June 2026: zero arrests, zero server seizures, zero successful de-peering actions. The November 2025 sanctions constitute the first formal Western government action against Media Land after 15+ years of documented criminal activity. No Russian domestic action has occurred. This track record, combined with wholly Russia-based infrastructure, suggests that sanctions represent the primary available lever and that physical disruption is not achievable under current conditions.
Trajectory Direction: DEGRADED / STABLE
Assessed trajectory is Degraded but stable. Sanctions impose meaningful financial friction (blocked Western payment rails, secondary sanctions risk for clients, SDN-listed Bitcoin address) but do not impair the underlying technical infrastructure. As long as Volosovik and Zatolokin remain at large in Russia, the operated-hardware DC Kirishi is operational, and Russian clients continue to pay in cryptocurrency outside OFAC jurisdiction, core functionality persists. Potential disruptive catalysts include: Russian domestic prosecution (assessed low probability), operator-level defection or internal disruption, or loss of key upstream peers forcing routing changes.
Mandatory Intelligence Gaps
Whether Media Land has experienced meaningful client attrition, pricing changes, or capacity reduction following November 2025 sanctions is unknown. Internal data post-March 2025 leak is not available in open sources.
No confirmed post-sanctions ASN registrations or new entity registrations by Volosovik or associates have been documented, unlike Aeza Group's documented evasion strategy. This gap should be monitored via RIPE NCC WHOIS and Russian corporate registry.
The March 2025 Media Land internal data leak is understood to be comprehensive, but full analysis has not been publicly published. The complete client list beyond the named ransomware groups is unknown in open sources.
OFAC designations establish legal status but do not specify job titles, reporting relationships, or operational responsibilities for Pankova (legal/financial) and Kozlov (associated). Understanding whether Kozlov holds a technical infrastructure role (e.g., DC Kirishi management) would refine the operational succession picture.
Assessed as St. Petersburg, Russia, based on Media Land LLC registration address and Intel 471 2018 relocation reporting. No post-2019 confirmed location information in open sources.
Specific exchanges, OTC desks, or money services businesses used by Media Land for cryptocurrency cash-out are not identified in open sources (contrast: ZServers cash-out via Garantex is confirmed). This represents a key financial intelligence gap for tracing proceeds.