The leaks tied to the BlackBasta ransomware group and Russian hosting company Media Land pulled back the curtain on something defenders rarely get to see: the internal machinery and people behind a major ransomware operation.
In February 2025, an unknown individual using the handle ExploitWhispers appeared on Telegram and published a massive archive of BlackBasta’s internal chats from the Matrix messenger.
The dump, released as a JSON file, contained around 200,000 messages exchanged between September 18, 2023, and September 28, 2024.
Inside were not only technical discussions and operational details, but also real names, including one that would later surface on sanctions lists: Kirill Zatolokin, better known in the underground as “Slim Shady.”
The impact of the first leak was immediate. Accusations flew, actors were exposed, and factions within the ecosystem began pointing fingers.
Then, on March 28, 2025, a second blow landed. Another anonymous actor leaked a database linked to Media Land, revealing internal records such as server configurations, client purchase histories, user account data, and cryptocurrency addresses tied to the company’s operations.
How the Breach Happened
On paper, Media Land was a “legitimate” Russian hosting provider. In practice, the leaked data confirmed what many in the underground already suspected: Media Land was tightly intertwined with the long‑running bulletproof hosting (BPH) service Yalishanda, a core infrastructure supplier to cybercriminals since roughly 2009.
That raised a key question for investigators and regulators alike: why would a registered Russian business be so deeply embedded in cybercrime infrastructure? The answer was simple and telling because that was its real business model.
The leaks showed that BlackBasta relied heavily on Media Land/Yalishanda as the backbone of its operations.
From dedicated servers and bandwidth to support and abuse resistance, Media Land functioned as a premium, high‑touch provider for one of the most active ransomware syndicates operating at the time.
Internal chats showed “Slim Shady” (Zatolokin) acting as a bridge between BlackBasta and the hosting infrastructure, sharing speed tests, discussing bandwidth usage in the tens of Gbps, and negotiating higher payments as BlackBasta demands grew.
This convergence of evidence created an opening for regulators. On November 19, 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), working with authorities in Australia and the United Kingdom, announced sanctions against Media Land and its subsidiary Data Center Kirishi.
Two individuals were named: Aleksandr Volosovik, Media Land’s general director and long‑time operator of Yalishanda, and Kirill Zatolokin, sanctioned for his direct role in supporting cybercrime infrastructure and ransomware operations.
The story behind these names underscores how deeply personal, even messy, the cybercrime ecosystem can be.
Law Enforcement Blind Spots
Volosovik, first publicly identified in 2019 reporting as the primary operator of Yalishanda, spent years running bulletproof hosting that catered to malware operators, ransomware affiliates, and initial access brokers.
Zatolokin, who once posted job ads looking for work in China, eventually surfaced as a customer‑facing operator and infrastructure coordinator under the “Slim Shady” alias, managing clients, resolving performance issues, and quietly keeping criminal infrastructure online.
The leaks also exposed the financial plumbing behind the scenes. Chat logs and transaction trails show how BlackBasta operators moved funds from ransomware payments through laundering pipelines, shifted value into stablecoins such as USDT, and used those cleaned assets to pay for infrastructure, SOCKS proxies, and staff salaries.
Payments traced to lapa, an infrastructure handler working with BlackBasta, highlight how roles like proxy procurement and server management are funded as part of a structured, repeatable operation not one‑off ad hoc deals.
Taken together, the BlackBasta chats and Media Land database form a rare blueprint of how a modern Russian‑speaking ransomware operation functions end‑to‑end.
They reveal a tightly connected web of “legit” fronts, bulletproof hosting, high‑volume bandwidth deals, and trusted intermediaries who sit between criminal groups and the infrastructure that keeps them running.
Sanctions, exposure, and leaks will not instantly dismantle this ecosystem. Actors like Volosovik and Zatolokin can rotate domains, swap wallets, and adopt new handles.
However, these disclosures give defenders, analysts, and law enforcement something enormously valuable: concrete names, infrastructure patterns, and financial flows that can be tracked, correlated, and disrupted over time.
If ransomware is the business, infrastructure is the backbone. These leaks show exactly where that backbone connects and where pressure can be applied next.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.