The UK’s National Crime Agency (NCA), working with international law enforcement agencies, has exposed and sanctioned Alexander Volosovik, also known online as “Yalishanda,” for running a long-standing bulletproof hosting operation that has supported major cybercrime and ransomware groups like LockBit, Evil Corp and BlackBasta.
Volosovik operated under the names Media Land LLC and ML.Cloud LLC, both based in Russia. According to the NCA, his infrastructure gave ransomware gangs and malware operators the tools to carry out cyber attacks that caused serious damage to organisations around the world, from financial losses to disrupted operations.
Bulletproof hosting providers play a behind-the-scenes role in the cybercrime economy. They offer hosting that ignores abuse complaints, hides user identities, and actively resists takedowns by law enforcement. This makes them a valuable service for cybercriminals who want to operate with less risk of being stopped.
The UK’s Foreign, Commonwealth and Development Office (FCDO) announced sanctions against Volosovik and three of his associates. This move was coordinated with similar actions from the US Treasury’s OFAC and Australia’s Department of Foreign Affairs and Trade.
The NCA said the action is part of a broader strategy to target support services that make cybercrime easier and more scalable. While ransomware operators often get the headlines, operations like Volosovik’s are what keep those attacks running behind the scenes.
To support the sanctions, the NCA and its Five Eyes partners (Australia, Canada, New Zealand, the US and the UK) have issued alerts to industry warning about the risks tied to bulletproof hosting services like Media Land and AEZA, another Russia-based bulletproof web hosting service.
Ransomware continues to be one of the most damaging forms of cybercrime. Victims in the UK and globally have included sectors like telecoms, finance and critical infrastructure. Hosting services that give safe infrastructure to ransomware groups make it harder for authorities to stop attacks before they spread.
Paul Foster, Deputy Director of the NCA’s National Cyber Crime Unit, said services like Media Land allow cybercriminals to launch and monetise attacks with confidence. He added that today’s coordinated action is designed to weaken that digital shield.
Dutch Police Seize 250 Servers in Bulletproof Hosting Crackdown
While the NCA says it will continue working with international allies to disrupt these operations and stop sanctioned services from abusing infrastructure within the UK, in a separate operation in the Netherlands, authorities seized around 250 physical servers used by an unknown bulletproof hosting provider that had been active since 2022 and linked to more than 80 cybercrime investigations
According to the Dutch Police’s press release, the service offered anonymous VPS and RDP access without identity verification or logs, which made it a go‑to platform for ransomware actors, phishing networks and malware operations.
Investigators now have access to the hardware and thousands of virtual servers taken offline, giving them a rare window into how back‑end infrastructure supports large‑scale cybercrime.