EDP / BPH Providers / Media Land LLC / Yalishanda
Media Land LLC / Yalishanda
Russia-based bulletproof hosting provider // St. Petersburg, Russia | Active since 2009 | AS206728 (MEDIALAND-AS) | Sanctioned Nov 19, 2025
Degraded

Executive Summary and Provider Overview

Sanctioned Operators: Escalated Module
Aleksandr Alexandrovich Volosovik
General Director / Principal Operator (OFAC, UK FCDO, AU DFAT)
DOB: 30 January 1983, Brovary, Kyiv Oblast, Ukraine
Citizenship: Russian Federation
Location: St. Petersburg, Russia (assessed; not arrested)
Handles: Yalishanda, Downlow, Stas_vl
Email: stas_vl@mail.ru
BTC (OFAC): 18dLDAWi8LmrHbEq3QzDJb9SLxCf4uimXB
OFAC CYBER3 · UK FCDO · AU DFAT, Nov 19, 2025
Kirill Andreevich Zatolokin
Operations / Customer Support Lead (OFAC, UK FCDO, AU DFAT)
DOB: 30 April 1992, Vladivostok, Russia
Location: Russia (assessed; not arrested)
Handles: Slim Shady
Telegram: @ohyehhellno
Email: der_fan@mail.ru; sseeaawind@gmail.com
OFAC CYBER3 · UK FCDO · AU DFAT, Nov 19, 2025
Yulia Vladimirovna Pankova
Legal and Financial Associate (OFAC, UK FCDO)
DOB: Unknown
Location: Russia (assessed; not arrested)
Role: Assisted Volosovik with legal issues; handled his personal finances
OFAC CYBER3 · UK FCDO, Nov 19, 2025
Andrei Valerevich Kozlov
Associated Individual (OFAC, UK FCDO)
DOB: Unknown
Location: Russia (assessed; not arrested)
Role: Employed by or associated with Media Land LLC; exact function not publicly specified
OFAC CYBER3 · UK FCDO, Nov 19, 2025
Degraded
Operational Status
AS206728
Primary ASN
~2009
Active Since (Yalishanda)
~2,048
IPs in AS (v4)
4 / 4
Individuals / Entities Sanctioned
3
Sanctioning Authorities
$2M+
On-Chain Volume (TRM)
Listed
Spamhaus / Blocklist

Quick-Reference Attributes

Common NamesMedia Land LLC; Yalishanda; Abushost; ML.Cloud LLC; Media Land Technology; Data Center Kirishi; real-hosting[.]biz (historic)
Node TypeBulletproof Hosting Provider
StatusDegraded AS206728 active as of June 2026; sanctions imposed November 19, 2025; no physical seizure confirmed
PRODAFT DesignationLARVA-34
Entity Registration JurisdictionRussia: Media Land LLC registered St. Petersburg, October 2015; Data Center Kirishi registered Leningrad Oblast, July 2022; ML Cloud and Media Land Technology also Russia-registered
Infrastructure Hosting JurisdictionRussia: St. Petersburg (primary); Data Center Kirishi, Kirishi, Leningrad Oblast (own physical DC per Zatolokin/Analyst1)
Assessed Operator LocationRussia: St. Petersburg (Volosovik, assessed; relocated from Vladivostok approximately 2018 per Intel 471/Krebs)
Active Period (Yalishanda brand)~2009 to present (approximately 15+ years confirmed active)
Active Period (Media Land LLC)October 2015 to present (registered entity)
Primary ASNAS206728: MEDIALAND-AS (RIPE, registered 2016-11-17; active as of June 6, 2026)
Secondary ASNAS211805: Media Land LLC (RIPE; additional AS per IPinfo data)
IPv4 Prefixes (AS206728)45.141.84.0/24 (ML Cloud); 45.141.85.0/24 (Media Land); 45.141.86.0/24 (ML Cloud); 45.141.87.0/24; 91.220.163.0/24 (Media Land); 193.242.153.0/24; 194.26.29.0/24 (Media Land); 194.26.69.0/24 (Media Land)
IPv6 Prefixes2a0b:7ec0:1320::/48; 2a0b:7ec0:7701::/48
Upstream / BGP PeersAS49531 (NetCom-R LLC, Russia); AS20632 (MegaFon, Russia); AS202799 (SYSECT D.O.O., Montenegro); AS51538 (Lavrentyev Aleksandr Arkadievich, Russia); historical RIPE IRR: AS3216 (Vimpelcom/Beeline), AS9049 (ERTH Corporation JSC)
RIPE Maintainersmnt-ru-media-land-1; media-land-llc; NETWORK-SUPPORT-MNT; RIPE-NCC-END-MNT
Abuse ContactNot publicly disclosed in RIPE WHOIS (personal data removed per RIPE GDPR policy)
Confirmed Ransomware ClientsLockBit, BlackBasta, BlackSuit, Play, Evil Corp (CONFIRMED per OFAC/UK FCDO); MedusaLocker (CREDIBLE per TRM Labs)
Bitcoin Address (OFAC)18dLDAWi8LmrHbEq3QzDJb9SLxCf4uimXB (designated, Volosovik)
Blocklist StatusSpamhaus SBL/CBL: Confirmed listed (2019 community references, ongoing); DROP/EDROP: Probable; abuse.ch: Probable; specific current entry IDs not confirmed via open sources
SanctionsOFAC CYBER3 (E.O. 13694 as amended); UK FCDO Cyber Sanctions; AU DFAT: all November 19, 2025
State Nexus TierTolerated Safe Harbor (Tier 2 of 4)

Overall Assessment

Media Land LLC, operating under the long-standing underground brand "Yalishanda," is one of the most documented and longest-running Russian bulletproof hosting (BPH) providers in the threat landscape, with confirmed activity spanning approximately 2009 to present. Its principal, Aleksandr Alexandrovich Volosovik (DOB January 30, 1983), was publicly identified by name in a KrebsOnSecurity investigation in July 2019 and formally sanctioned alongside three associates and four corporate entities by the United States, United Kingdom, and Australia on November 19, 2025.

The provider's infrastructure is consolidated under AS206728 (MEDIALAND-AS) and a secondary AS211805, hosting approximately 2,048 IPv4 addresses in eight /24 prefixes. Its wholly-owned subsidiary Data Center Kirishi, registered in Kirishi (Leningrad Oblast) in July 2022, is assessed to represent an owned physical data center rather than leased rack space, making Media Land one of few Russian BPH operators with confirmed on-premises hardware. Zatolokin confirmed as much in direct communications with BlackBasta client contact "gg": "This is all our own: our own data center, our own hardware."

Forensic corroboration comes from two converging leak events: the February 2025 BlackBasta internal chat leak (ExploitWhispers) and the March 28, 2025 leak of Media Land's own internal database. Analyst1's "Infrastructure in the Shadows" report (January 2026) links these datasets to map BlackBasta's 200-server deployment on Media Land infrastructure, consuming 17-20 Gbps bandwidth, and traces $94,000 USDT in salary payments from BlackBasta operator "gg" to Media Land infrastructure staffer "lapa." TRM Labs independently traced over $2 million in on-chain volume across Yalishanda/Abushost-linked addresses, with flow intersections across BlackSuit, BlackBasta, LockBit, and MedusaLocker.

Post-sanctions, AS206728 remains active per BGP data as of June 6, 2026. No arrests have been made, no servers have been seized, and no confirmed rebranding or infrastructure migration has been publicly documented. The operational status is assessed as Degraded: sanctions reduce the provider's access to Western payment rails and may impair client confidence, but the underlying infrastructure and operator network remain intact.

Lineage and Organizational Heritage

Entity and Brand Timeline

Brand / EntityTypeRolePeriodConfidence
YalishandaUnderground brand / personaPrimary criminal trading name; used on Exploit, XSS, and predecessor forums to advertise BPH services~2009 to presentConfirmed
real-hosting[.]bizEarly BPH domainService advertised circa 2011 under Yalishanda persona; accepted botnets, malware, adware, exploits, IRC~2011Confirmed
abushost[.]ru / AbushostLong-lived BPH brand/domainOne of Yalishanda's most durable service brand names; advertised on Exploit[.]in and XSS[.]pro alongside associate "podzemniy1" per TRM Labs~2015 onwardConfirmed
Media Land LLC (ООО Медиа Лэнд)Russian LLC (OOO)Legitimate-appearing legal entity registered to provide surface-level credibility; used to sign contracts, lease IP ranges, and employ staff; 100% owned by VolosovikRegistered October 2015 to presentConfirmed
ML Cloud LLC (ML.Cloud)Russian LLCSister company; technical infrastructure used in conjunction with Media Land in ransomware and DDoS operations; co-operated by Volosovik and Zatolokin per AU GovernmentActive (dates not confirmed)Confirmed
Media Land Technology (MLT)Russian LLC (100% subsidiary)Wholly owned subsidiary of Media Land LLC; described by OFAC as subsidiary; likely used as infrastructure or services wrapperActive (dates not confirmed)Confirmed
Data Center Kirishi (DC Kirishi)Russian LLC (100% subsidiary)Wholly owned subsidiary of Media Land LLC registered July 2022; confirmed own physical data center in Kirishi, Leningrad Oblast; provides own hardware to VIP clientsRegistered July 2022 to presentConfirmed
AS206728 (MEDIALAND-AS)Autonomous System, RIPEPrimary network backbone for Media Land; registered November 2016; currently 8 IPv4 prefixes / 2,048 IPsRegistered Nov 17, 2016; activeConfirmed

Predecessor Lineage and Early History

Yalishanda's criminal activity is confirmed from approximately 2009 and assessed to extend back to the late 2000s. KrebsOnSecurity first encountered the persona in 2010 in connection with "Fizot," a botnet anonymization service using TDSS-infected Windows machines. A 2010 domain registration for mo0be-world[.]com linked to email address stas_vl@mail.ru and the name Aleksandr Volosovyk provided the first documented link between the criminal persona and a real identity. [1]

By 2011 Yalishanda was actively advertising under real-hosting[.]biz, offering hosting for botnets (Zeus), malware, adware, exploits, pharma, and IRC. He subsequently rebranded services through multiple iterations, with abushost[.]ru becoming a particularly durable brand. Intel 471 and Cisco researchers identified Yalishanda as a "top tier" BPH provider in a Black Hat 2017 talk, noting that in a single 90-day period in 2017 his infrastructure hosted Dridex, Zeus, and multiple ransomware families. By this point Yalishanda had relocated from Vladivostok to St. Petersburg (approximately 2018 per Intel 471), registered Media Land LLC in October 2015, and was professionalizing operations by employing staff under the legitimate company structure. [1][7]

Evidentiary Pillars

Identity Confirmation: Multiple Corroborating Sources

Confirmed Volosovik's identity as Yalishanda is established through: (1) 2010 domain registration linking stas_vl@mail.ru to Aleksandr Volosovyk; (2) 2010 passport scan submitted to ChronoPay payment processor confirming full name, DOB, birthplace; (3) Rusprofile.ru business registry listing Volosovik as director of Media Land LLC (St. Petersburg); (4) OFAC/UK FCDO/AU DFAT formal designation November 2025; (5) REvil forum member "Unknown" referring to Volosovik by first name "Sasha" in a 2019 arbitration thread on XSS forum. [1][3][7]

Leak Validation: Media Land Internal Data March 2025

Confirmed On March 28, 2025, an unknown actor leaked Media Land's internal database containing server configurations, client purchase history, user account data, and cryptocurrency addresses. Volosovik acknowledged the breach on a hacking forum, validating the authenticity of the leaked material. PRODAFT (designating the provider LARVA-34) assessed the leak as providing rare high-value insight into criminal infrastructure. [4][5]

Operator Profiles

2.1 Aleksandr Alexandrovich Volosovik: Principal Operator

Full NameAleksandr Alexandrovich Volosovik (Александр Александрович Волосовик)
Date of Birth30 January 1983
Place of BirthBrovary, Kyiv Oblast, Ukraine (confirmed via passport; assessed to have relocated to Russia as a child, before 1990)
CitizenshipRussian Federation
Handle HistoryYalishanda (primary; Mandarin for "Alexander"); Downlow; Stas_vl; associated domain stas_vl@mail.ru
EducationSchool No. 80, Vladivostok (1990-2000); Far Eastern State Technical University (ДВГТУ), Institute of Mechanics, Automation and Advanced Technologies, specializing in Automated Production Systems in Mechanical Engineering: graduated 2005
GeographyBrovary, Ukraine (birth); Vladivostok, Russia (school/university); Beijing, China (documented period, passport issued by Russian Embassy Beijing); St. Petersburg, Russia (current, relocated approximately 2018)
Criminal OnsetApproximately 2009 (confirmed criminal activity); late 2000s assessed (Krebs: "decade already" as of 2019)
Assessed LocationSt. Petersburg, Russia (assessed; confirmed registered director of St. Petersburg entity; not arrested)
Legal StatusAt large; no arrest, indictment, or criminal charges; sanctioned by OFAC, UK FCDO, AU DFAT November 19, 2025
OFAC Designation BasisE.O. 13694 (as amended by E.O. 13757, 14144, 14306) for cyber-enabled activities reasonably likely to result in a threat to US national security, foreign policy, or economic health
Sanctioned BTC Address18dLDAWi8LmrHbEq3QzDJb9SLxCf4uimXB

2.2 Kirill Andreevich Zatolokin: Operations / Customer Support Lead

Full NameKirill Andreevich Zatolokin (Кирилл Андреевич Затолокин)
Date of Birth30 April 1992
OriginVladivostok, Russia: graduated School No. 23 (МОУ СОШ 23), Vladivostok, 2009
EducationBeijing Institute of Fashion Technology, enrolled 2009; documented physically present in Beijing at least through 2014
HandleSlim Shady
ContactTelegram @ohyehhellno (operational contact for Yalishanda clients, observed from at least November 2018)
Known Emailsder_fan@mail.ru; sseeaawind@gmail.com
Operational RoleResponsible for collecting payment from customers; coordinating with cyber actors; primary customer support interface for Yalishanda services; direct liaison to BlackBasta (via gg) per leaked chats
Connection to VolosovikBoth from Vladivostok; both spent time in Beijing: assessed to have met in Beijing, no earlier than May 2014 per Analyst1
Legal StatusAt large; sanctioned OFAC/UK FCDO/AU DFAT November 19, 2025

2.3 Yulia Vladimirovna Pankova

Full NameYulia Vladimirovna Pankova
DOB / LocationUnknown
Assessed RoleLegal and financial associate to Volosovik; described by OFAC as having assisted Volosovik with legal issues and having handled his personal finances
Relationship to VolosovikPersonal relationship confirmed via OFAC photo release (Figure 2, sb0319)
Legal StatusAt large; sanctioned OFAC/UK FCDO November 19, 2025 as having materially assisted Volosovik

2.4 Andrei Valerevich Kozlov

Full NameAndrei Valerevich Kozlov
DOB / LocationUnknown
Assessed RoleEmployed by or associated with Media Land LLC; OFAC does not specify function; grouping with MLT/DC Kirishi entities in sanctions documentation suggests possible management role in subsidiary operations
Legal StatusAt large; sanctioned OFAC/UK FCDO November 19, 2025

2.5 "lapa": Infrastructure Staff (Alias Only)

Handlelapa
Real IdentityNot published: anonymous source behind BlackBasta leak suggested an identity; Analyst1 declined to publish pending LE confirmation
RoleManaged key parts of BlackBasta's infrastructure; procured SOCKS proxies for BlackBasta operations; received salary payments from BlackBasta operator gg totaling $94,000 USDT
USDT Address0xa0A7d2C6b288927cf73a5cf59970373262ea73c6 (received payments from gg at 0xB54c17E5ea215f45A61E8790cf546AD175Af2Cf0)
Legal StatusNot sanctioned; identity not publicly confirmed by LE

Disputed Assessments

No vendor disputes the attribution of Yalishanda to Volosovik or the linkage between Yalishanda and Media Land LLC. The primary open question is the precise functional role of Kozlov and the corporate function of Media Land Technology; OFAC's designation basis (ownership by Media Land LLC) is clear but Kozlov's specific job title or seniority is not in the public record. Pankova's personal relationship to Volosovik is inferred from the OFAC photo release but not explicitly stated in the sanctions text.

Operational and Business Model

Service Model

Media Land/Yalishanda operated as a full-stack bulletproof hosting provider delivering servers, IP addresses, SOCKS proxies, and DDoS-resistant hosting to cybercriminal clients. The provider's core value proposition is identical to that of other Russian BPH operators but distinguished by longevity, owned physical infrastructure, and the ability to accommodate VIP-scale deployments. Key service components: dedicated servers from owned DC, virtual servers, SOCKS proxy services, and technical troubleshooting. The provider's own-hardware DC, marketed as superior to "public" hosting where networks are "simply rented," was used as a competitive differentiator with high-value clients. [3][4]

Total non-cooperation with law enforcement and abuse reporters is the explicit and advertised posture. Forum advertising explicitly names Spamhaus as an ignored organization. [1][3]

Verbatim Advertising Copy

Yalishanda underground forum advertisement: Exploit forum, 2011 (KrebsOnSecurity, 2019)
"Based in Asia and Europe. It is allowed to host: ordinary sites, doorway pages, satellites, codecs, adware, tds, warez, pharma, spyware, exploits, zeus, IRC, etc. Passive SPAM is allowed... Forbidden: Any outgoing Email spam, DP, porn, phishing (exclude phishing email, social networks). There is a server with instant activation under botnets (zeus) and so on."
Slim Shady (Zatolokin): direct message to BlackBasta operator gg, leaked July 2024
"RU. These are servers from a private data center, not public ones like many others use, where networks are simply rented. This is all our own: our own data center, our own hardware, etc. If you take volume, we can also deploy in Europe, if needed."
Yalishanda: arbitration response to user "Loadbaks" complaint, underground forum, August 27, 2020
[Refunded $222.89 BTC with transaction hash 27b2d61d5c0c3c2b2d66fcd5b48be459a7d3a417cb84e3b41f76ad327c4e63a4 without additional comment. Described by Analyst1 as "cold blockchain receipt" followed by implied "now shut up."]

Onboarding and Client Tiers

Forum-based advertising on Exploit[.]in, XSS[.]pro, and predecessor platforms constitutes the primary acquisition channel. Customer support was handled via Telegram (@ohyehhellno, Zatolokin) and Jabber contacts, both consistently listed in advertising posts. No invitation-only or referral requirement documented in open sources.

A two-tier client structure is evident from leak data: standard clients interacted with customer support via forum-advertised channels; VIP clients such as BlackBasta had direct relationships with Zatolokin for custom deployments, bandwidth negotiations, and capacity planning. VIP status provided access to owned DC hardware, custom bandwidth agreements, and dedicated account management. [3]

Pricing (Partial)

Full price list not confirmed in open sources. From BlackBasta leaked chat context (Analyst1): standard plan included 20 Gbps bandwidth per 100 servers; overage priced at $4,000 per additional 10 Gbps. A 200-server BlackBasta deployment consuming 17-20 Gbps was flagged as unsustainable at existing pricing. Cryptocurrency-only payment. [3]

Abuse-Handling and LE Posture

Total non-cooperation is the confirmed and advertised posture, including explicit naming of Spamhaus as ignored. No documented instance of Media Land/Yalishanda responding to abuse complaints or cooperating with law enforcement requests over 15+ years of operation. The 2020 arbitration refund incident is the only documented instance of customer dispute resolution, and even that was conducted through a bare transactional response with no acknowledgment. [1][3]

OPSEC

Volosovik registered Media Land LLC as a legitimate Russian entity to provide surface-level commercial legitimacy, enabling contract signing, IP leasing, and employment of staff. The corporate structure creates a legal separation between the Yalishanda underground brand and a nominally registered company. Volosovik's VKontakte and Odnoklassniki profiles used partial real-name attribution, suggesting confidence in the Russian legal operating environment rather than technical OPSEC discipline. Staff (Zatolokin, lapa) operated under pseudonyms while the principal's identity was quasi-public in underground circles for at least a decade before formal sanctions.

Technical Capabilities and Infrastructure Footprint

Autonomous System

ASNNameRIRCountryRegisteredStatus
AS206728MEDIALAND-ASRIPERussian Federation2016-11-17Active (June 6, 2026)
AS211805Media Land LLCRIPERussian FederationUnknownActive (IPinfo data)

IPv4 Prefix Table (AS206728)

PrefixRegistered DescriptionRPKIIRR
45.141.84.0/24ML Cloud LLCValidValid
45.141.85.0/24Media Land LLCValidValid
45.141.86.0/24ML Cloud LLCValidValid
45.141.87.0/24Grisha MaslinikovValidValid
91.220.163.0/24Media Land LLCValidValid
193.242.153.0/24IT Outsourcing LLCNo ROAValid
194.26.29.0/24Media Land LLCValidValid
194.26.69.0/24Media Land LLCValidValid

IPv6 Prefixes (AS206728)

PrefixRegistered DescriptionRPKI
2a0b:7ec0:1320::/48Media Land LLCValid
2a0b:7ec0:7701::/48Media Land LLCValid

Upstream Transit Chain

AS206728 current BGP peers observed (Hurricane Electric BGP Toolkit, June 6, 2026):

Peer ASNEntityCountryRole
AS49531NetCom-R LLCRussian FederationIPv4 and IPv6 upstream peer
AS20632PJSC MegaFonRussian FederationIPv4 upstream peer (major Russian carrier)
AS202799SYSECT D.O.O.MontenegroIPv4 upstream peer
AS51538Lavrentyev Aleksandr ArkadievichRussian FederationIPv4 upstream peer

Historical RIPE IRR records show import/export relationships with AS3216 (Vimpelcom/Beeline, major Russian tier-1 carrier) and AS9049 (ERTH Corporation JSC). These may represent earlier transit arrangements prior to current peer configuration.

Confirmed: No documented de-peering events for AS206728 in open sources. Unlike PROSPERO (AS200593, Bearhost), which attracted public attention when Kaspersky Lab was identified as an upstream provider in 2025, no equivalent upstream controversy has been publicly reported for MEDIALAND-AS.

Physical Infrastructure

Confirmed Data Center Kirishi (100% subsidiary of Media Land LLC, registered July 2022, Kirishi, Leningrad Oblast) is assessed to represent an owned physical data center, not leased rack space in a third-party facility. Zatolokin directly stated to BlackBasta client "gg": "our own data center, our own hardware." This constitutes a structural differentiator from most Russian BPH operators who lease upstream capacity. [3]

Confirmed Standard plan: 20 Gbps per 100 servers on owned hardware. Documented BlackBasta deployment: approximately 200 servers consuming 17-20 Gbps with plans to scale to 50 Gbps. [3]

Hosted Activity Types

From PRODAFT LARVA-34 analysis and Media Land leak data (March 2025), confirmed hosted activity categories:

Blocklist Standing

ListStatusEvidence
Spamhaus SBLListed (confirmed)SBL and CBL listings noted by community on 2019 Krebs article; advertising explicitly claims to ignore Spamhaus, confirming ongoing listing relationship
Spamhaus CBLListed (confirmed)Noted in 2019 KrebsOnSecurity article comments by security researchers examining IP ranges
Spamhaus DROP / EDROPProbableEDROP covers cybercriminal-controlled IP space; no direct confirmation for current state; probable given operator sanctions status
abuse.ch Feodo TrackerProbableConfirmed C2 hosting in IP ranges; direct entry IDs not confirmed in open sources
abuse.ch URLhausProbablePhishing and malware URLs from these ranges documented; entry-level confirmation via multiple reports
abuse.ch MalwareBazaarUnknownNo direct confirmation in open sources
FireholProbableNo direct confirmation; range behavior and CBL/SBL status strongly suggest inclusion

Known Weaknesses

Infrastructure concentration: all prefixes under a single ASN (AS206728) makes AS-level blocking straightforward for defenders. The AS has relatively few upstream peers (4 observed), limiting routing redundancy. Ownership of physical DC hardware (DC Kirishi) creates a fixed, locatable choke point that is, in principle, subject to seizure by Russian authorities: though no Russian LE action has occurred.

Financial weakness: OFAC/UK/AU sanctions designate both the operator (Volosovik) and the Bitcoin address, restricting access to Western payment rails and exchange services. Customers transacting with sanctioned entities face secondary sanctions exposure.

Financial Infrastructure

Payment Methods

Cryptocurrency-only payment confirmed. Bitcoin (BTC) and USDT (Tether, ERC-20) documented in leak and sanctions data. No fiat payment methods documented. Anonymity enforced through cryptocurrency-only onboarding, consistent with BPH operator norms. [3][7]

Known Wallet Clusters

AddressCurrencyAttributionSource
18dLDAWi8LmrHbEq3QzDJb9SLxCf4uimXBBitcoin (BTC)Aleksandr Volosovik / Media Land LLC (OFAC designation)OFAC SDN list, November 19, 2025 [7]
1PY4JX82rhKTSyP7ywhJgiYeVvTcpcaW8dBitcoin (BTC)Yalishanda (refund address provided in 2020 arbitration case: forum public record)Analyst1 [3]
0xa0A7d2C6b288927cf73a5cf59970373262ea73c6USDT (ERC-20)"lapa": Media Land infrastructure staffer; received $94,000 USDT salary from BlackBasta operator ggAnalyst1 / Arkham blockchain data [3]
0xB54c17E5ea215f45A61E8790cf546AD175Af2Cf0USDT (ERC-20)BlackBasta operator "gg": sending wallet for lapa salary paymentsAnalyst1 [3]

On-Chain Volume

Confirmed TRM Labs documented over $2 million USD in received volume across wallets linked to Yalishanda/Abushost, with direct and indirect flow intersections across BlackSuit, BlackBasta, LockBit, and MedusaLocker operations. [7]

Confirmed Chainalysis assessed Volosovik's hosting services as supporting "nearly every component of the cyber kill chain" and identified interactions across "thousands of addresses" with "millions of dollars" in transactions, serving underground exchanges, laundering services, scammers, hackers, and ransomware operators. [6]

Three-Phase Laundering Model

Evidence from BlackBasta leak and TRM analysis supports a standard three-phase laundering model consistent with Russian cybercrime norms:

Phase 1: Receipt: Ransomware payments received in Bitcoin from victims. Yalishanda receives payment for hosting services, primarily in BTC or USDT.

Phase 2: Conversion: BlackBasta operator "gg" confirmed in leaked chats that funds paid to lapa for SOCKS procurement and salary came from money already "cleaned" by an internal laundering operation. USDT used for stable-value salary payments post-laundering. TRM identifies fund flows to "intermediary wallets and major global exchanges."

Phase 3: Cash-out: Funds moved through no-KYC exchanges and OTC desks consistent with Russian ransomware cash-out patterns. Specific cash-out venues for Media Land/Volosovik not confirmed in open sources (contrast with ZServers: Garantex documented).

Sanctions and Regulatory Risk

OFAC SDN designation: Media Land LLC, ML Cloud LLC, Media Land Technology, Data Center Kirishi (entities); Volosovik, Zatolokin, Pankova, Kozlov (individuals): all designated November 19, 2025. Volosovik's BTC address 18dLDAWi8LmrHbEq3QzDJb9SLxCf4uimXB explicitly listed on SDN. UK OFSI and AU DFAT coordinated designations on same date. All property and interests in US/UK/AU jurisdictions blocked; US persons and entities in US prohibited from transacting with designated parties. Secondary sanctions risk extends to financial institutions worldwide. [7][8][9]

Client Profile and Hosted Operations

Crimeware Verticals by Evidence Tier

Client / ActivityCategoryConfidenceSources
LockBit ransomware infrastructureRansomwareConfirmedOFAC press release sb0319; UK FCDO; Chainalysis [6][7][8]
BlackBasta ransomware infrastructureRansomwareConfirmedAnalyst1 (leaked chats + Media Land leak correlation); OFAC/UK FCDO; leaked chat data [3][7][8]
BlackSuit ransomware infrastructureRansomwareConfirmedOFAC press release sb0319; Bleeping Computer [6][7]
Play ransomware infrastructureRansomwareConfirmedOFAC press release sb0319; Bleeping Computer [6][7]
Evil Corp infrastructureRansomware / CaaSConfirmedUK FCDO / Foreign Secretary statement; Bleeping Computer (citing UK) [8]
MedusaLocker ransomware infrastructureRansomwareCredible [Single Source]TRM Labs blockchain analysis [7]
Underground exchanges and laundering servicesFinancial crime infrastructureConfirmedOFAC; Chainalysis [6][7]
Scammers and fraud operatorsFraudConfirmedOFAC; Chainalysis [6][7]
Initial access brokers (IABs)Access brokerageConfirmedOFAC; Chainalysis [6][7]
Malware-as-a-Service operatorsMaaSConfirmedOFAC; PRODAFT LARVA-34 [4][7]
DDoS-for-hire / DDoS attack infrastructureDDoSConfirmedOFAC: "multiple DDoS attacks against U.S. companies and critical infrastructure, including telecommunications systems" [7]
Magecart and card-skimming infrastructureFinancial fraudCredibleKrebsOnSecurity 2019 citing active hosting of Magecart-related infra [1]
Cybercrime forum hostingForum / marketplaceCredibleKrebsOnSecurity 2019: "hundreds of dodgy sites" including cybercrime forums and stolen card shops [1]

Client Geography

Client geography not confirmed in open sources. Given that Yalishanda advertised on Russian-language underground forums (Exploit, XSS) and the operator network is entirely Russia/CIS-based, a predominantly Russian-speaking/CIS client base is assessed. The presence of internationally active ransomware groups (LockBit, BlackBasta, BlackSuit, Play) confirms that service is not geographically restricted and supports attacks on Western targets globally.

Notable Hosted Cases

BlackBasta 200-Server Deployment (2023-2024)

Confirmed Based on BlackBasta leaked chats correlated with Media Land internal data by Analyst1. BlackBasta maintained a ~200-server deployment on Media Land infrastructure, consuming 17-20 Gbps bandwidth with negotiated plans to expand to 50 Gbps. Infrastructure staffer "lapa" managed day-to-day operations and SOCKS proxy procurement layered over Media Land's servers. Total confirmed USDT payments to lapa from BlackBasta operator gg: $94,000 USD across five transactions (February-May 2024). [3]

LockBit Administrator Dmitry Khoroshev: Infrastructure Link

Confirmed OFAC specifically notes that Volosovik's hosting services supported sanctioned LockBit administrator Dmitry Khoroshev (aka LockBitSupp). This establishes a direct confirmed link between Yalishanda infrastructure and the LockBit RaaS operation at the administrator level. [6][7]

REvil Forum Confrontation (2019)

Confirmed A REvil member posting under the handle "Unknown" (attributed to a prominent REvil operator by Analyst1) directly addressed Volosovik by his first name "Sasha" during a 2019 arbitration thread on XSS forum, demonstrating that Volosovik's real identity was known within top-tier Russian ransomware circles well before Western public exposure. [3]

State Nexus Assessment

Jurisdictional Separation

Entity Registration Jurisdiction
Russian Federation
Media Land LLC: St. Petersburg, registered Oct 2015. Data Center Kirishi: Kirishi, Leningrad Oblast, registered July 2022. ML Cloud and Media Land Technology: Russia (dates not confirmed). All entities OOO (LLC) structure under Russian law.
Infrastructure Hosting Jurisdiction
Russian Federation
Primary infrastructure in St. Petersburg per entity registration. DC Kirishi physical hardware in Kirishi, Leningrad Oblast. No confirmed infrastructure in non-Russian jurisdictions, though Zatolokin mentioned potential European deployment capability for VIP clients.
Assessed Operator Location
Russian Federation
Volosovik: St. Petersburg, assessed (Intel 471: relocated from Vladivostok approximately 2018; registered director of St. Petersburg company). Zatolokin, Pankova, Kozlov: Russia (assessed; no confirmed location). All remain at large within Russia.

Assigned Tier: TOLERATED SAFE HARBOR (Tier 2 of 4)

State Nexus Assessment

Media Land/Yalishanda is assessed at Tier 2: Tolerated Safe Harbor. The Russian state is assessed to be aware of Media Land's operations and to refrain from enforcement or prosecution despite over a decade of public exposure. No evidence supports Tier 3 (active cooperation/tasking) or Tier 4 (direct state control).

Evidence Supporting Tier 2 Assessment

Negative Evidence (Against Tier 3 or 4)

Expected indicators if Tier 3/4 existed (and are absent): documented FSB handler relationships, targeting of government rather than commercial victims, evidence of intelligence-sharing between operator and state, or classified sourcing suggesting coordinated operations. None of these indicators are present in available reporting.

Law Enforcement and Regulatory Response

Arrests and Indictments

None. As of June 2026, no individual associated with Media Land/Yalishanda has been arrested, extradited, indicted, or charged in any jurisdiction. Volosovik, Zatolokin, Pankova, and Kozlov remain at large in Russia.

Sanctions Chronology

July 16, 2019
KrebsOnSecurity publicly names Volosovik as Yalishanda with full passport documentation. Intel 471 confirms real identity. No Russian LE response. Provider continues operating.
February 2025
ExploitWhispers leaks approximately 200,000 BlackBasta internal chat messages on Telegram, revealing Zatolokin (Slim Shady) as Media Land's customer liaison and BlackBasta's primary infrastructure contact.
March 28, 2025
Unknown actor leaks Media Land internal database including server configurations, client purchase history, user account data, and cryptocurrency addresses. Volosovik acknowledges breach on hacking forum.
November 19, 2025
Coordinated trilateral sanctions: OFAC, UK FCDO, and AU DFAT designate Media Land LLC, ML Cloud LLC, Media Land Technology, Data Center Kirishi, Volosovik, Zatolokin, Pankova, and Kozlov. FBI coordination noted in OFAC press release. CISA releases joint Five Eyes guidance on BPH defense mitigations. All US/UK/AU assets of designated parties frozen.

Server Seizures

None confirmed as of June 2026. Unlike ZServers (127 servers seized in Netherlands, February 2025), no physical server seizure or infrastructure takedown has been executed against Media Land. This is consistent with the infrastructure being located entirely within Russia, outside the jurisdictional reach of Western law enforcement.

Post-Sanctions Infrastructure Status

Confirmed AS206728 remains active and advertising routes as of June 6, 2026 per Hurricane Electric BGP data. All 8 IPv4 prefixes and 2 IPv6 prefixes remain announced. No ASN deregistration, no route withdrawal, no documented client migration away from the platform confirmed in open sources.

Post-Disruption Client Migration

Analyst Inference Sanctions reduce Media Land's ability to receive payments from clients using Western-facing exchange infrastructure and may deter clients who face secondary sanctions exposure from transacting with a designated provider. However, given the Russia-based operator network and primarily Russian/CIS client base, near-term operational disruption is expected to be limited. Clients can continue transacting in cryptocurrency via peer-to-peer channels, Russian exchanges, and non-KYC services outside OFAC jurisdiction.

Five Eyes Joint Guidance

On November 19, 2025, CISA (coordinating with US, UK, Australian, Canadian, and New Zealand cyber agencies) released joint guidance titled "Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers." The guidance advised ISPs to implement high-confidence malicious resource block lists, conduct regular traffic analysis, and establish know-your-customer verification for new clients. The timing alongside Media Land sanctions confirms BPH providers were the primary target of the joint guidance release. [6][8]

Connected Groups and Ecosystem Relationships

All connected entity claims carry two-tier confidence assessed independently: Tier 1 (infrastructure relationship: did Media Land host their infrastructure?) and Tier 2 (operational relationship: did Media Land operators know the client's identity and coordinate operationally?). These are analytically distinct claims.

BlackBasta
Ransomware-as-a-Service operation // Active 2022-2024 (assessed disbanded early 2025)
Confidence Assessment
Tier 1: Infrastructure Relationship:Confirmed
Tier 2: Operational Relationship:Confirmed
T1: BlackBasta maintained approximately 200 servers on Media Land infrastructure per correlated BlackBasta chat leak and Media Land internal data (Analyst1, January 2026). Bandwidth consumption documented at 17-20 Gbps. Specific IP 45.141.87.127 cited in Zatolokin speed-test message to gg. T2: Zatolokin (Slim Shady) personally managed the BlackBasta account, conducted capacity planning calls with operator gg, and had direct knowledge of the client's identity and operational scale. lapa, acting as infrastructure manager, received $94,000 USDT in salary from gg across 5 transactions (Feb-May 2024). The operational relationship is among the most extensively documented BPH-client relationships in any public reporting.
Analyst1 (corroborating) OFAC (corroborating) UK FCDO (corroborating) Chainalysis (corroborating) PRODAFT (corroborating)
LockBit
Ransomware-as-a-Service operation // Active 2019-2024 (disrupted Operation Cronos, February 2024)
Confidence Assessment
Tier 1: Infrastructure Relationship:Confirmed
Tier 2: Operational Relationship:Credible
T1: OFAC press release explicitly states Media Land "provided BPH services to... ransomware actors, including prolific ransomware actors such as Lockbit." Chainalysis further confirms Volosovik's services supported sanctioned LockBit administrator Dmitry Khoroshev (LockBitSupp). T2: Direct operational coordination between Volosovik/Zatolokin and LockBit operators is not documented in the same granular detail as BlackBasta. OFAC/Chainalysis framing implies a business-level service relationship; individual operator identity awareness at the Yalishanda side is credible given operational duration but not confirmed by leak data.
OFAC (corroborating) Chainalysis (corroborating) UK FCDO (corroborating)
BlackSuit
Ransomware-as-a-Service operation // Active 2023-present (assessed successor to Royal ransomware)
Confidence Assessment
Tier 1: Infrastructure Relationship:Confirmed
Tier 2: Operational Relationship:Credible
T1: OFAC press release explicitly includes BlackSuit among Media Land's ransomware clients. T2: No direct operational relationship evidence beyond the OFAC designation and TRM on-chain flow analysis.
OFAC (corroborating) TRM Labs (corroborating)
Play Ransomware
Ransomware-as-a-Service operation // Active 2022-present
Confidence Assessment
Tier 1: Infrastructure Relationship:Confirmed
Tier 2: Operational Relationship:Credible
T1: OFAC press release explicitly includes Play among Media Land's ransomware clients. T2: No direct operational relationship evidence beyond the OFAC designation. Business relationship inferred from OFAC attribution and on-chain flows.
OFAC (corroborating) Chainalysis (corroborating)
Evil Corp
Russia-based cybercrime group / Dridex / WastedLocker / Indrik Spider // Active 2009-present
Confidence Assessment
Tier 1: Infrastructure Relationship:Confirmed
Tier 2: Operational Relationship:Credible
T1: UK Foreign Secretary Yvette Cooper specifically cited Volosovik as having "worked with... Evil Corp" in the November 2025 sanctions announcement. Bleeping Computer confirmed this attribution citing UK government. Evil Corp's Dridex malware was documented on Yalishanda infrastructure in a 90-day 2017 period per Intel 471 Black Hat talk. T2: Given Evil Corp's notoriety and longevity, and the 2017 Intel 471 documentation, the operational relationship is credible but not confirmed at the same level as BlackBasta.
UK FCDO (corroborating) Intel 471 (corroborating)
MedusaLocker
Ransomware-as-a-Service operation // Active 2019-present
Confidence Assessment
Tier 1: Infrastructure Relationship:Credible [Single Source]
Tier 2: Operational Relationship:Analyst Inference
T1: TRM Labs on-chain analysis identifies MedusaLocker in the flow graph connected to Yalishanda/Abushost wallets. Single-source claim; not corroborated by OFAC or other government sources. T2: Operational relationship not established; inference only based on T1 financial flows.
TRM Labs (single source)
Aeza Group LLC
Russian bulletproof hosting provider // Sanctioned by OFAC July 1, 2025; UK FCDO November 19, 2025 (same action as Media Land)
Confidence Assessment
Tier 1: Infrastructure Relationship:Analyst Inference
Tier 2: Operational Relationship:Analyst Inference
Aeza Group is a separate BPH provider sanctioned in the same November 2025 coordinated action but as a distinct entity. Coordinated designation does not imply a direct infrastructure or operational relationship with Media Land; both were targeted in the same sweep due to providing analogous services. No infrastructure sharing or direct operational coordination between Aeza and Media Land is documented in available reporting. Aeza's post-sanctions rebranding (Hypercore Ltd., Serbia/Uzbekistan entities) appears to be an independent evasion strategy. Relationship type: same-sector designation, not client or partner relationship.
No vendor has published a formal Media Land-Aeza relationship assessment

Trajectory Assessment

Infrastructure Churn

Confirmed AS206728 (MEDIALAND-AS) remains fully active as of June 6, 2026 per Hurricane Electric BGP data, with all 8 IPv4 prefixes and 2 IPv6 prefixes announced. No AS deregistration, prefix withdrawal, or transit provider change documented post-sanctions. Unlike Aeza Group, which immediately began a rebranding and entity restructuring strategy after its July 2025 designation, no analogous reconstitution activity has been confirmed for Media Land as of this writing. This may reflect greater operator confidence in Russian territorial protection or a deliberate assessment that the infrastructure itself is not at seizure risk.

Market Position

Media Land/Yalishanda occupies the top tier of the Russian BPH market by longevity, documented client base quality (flagship-tier ransomware operators), and the unusual distinction of owning physical data center hardware (DC Kirishi). KrebsOnSecurity's 2019 characterization of Yalishanda as potentially the "world's biggest bulletproof hoster": while likely an overstatement: reflects genuine scale. The provider has sustained operations through multiple exposure events (Krebs 2019 identification, BlackBasta and internal data leaks 2025) without operational interruption, demonstrating resilience that reflects the Russian legal operating environment rather than technical hardening.

Disruption History Assessment

Disruption record through June 2026: zero arrests, zero server seizures, zero successful de-peering actions. The November 2025 sanctions constitute the first formal Western government action against Media Land after 15+ years of documented criminal activity. No Russian domestic action has occurred. This track record, combined with wholly Russia-based infrastructure, suggests that sanctions represent the primary available lever and that physical disruption is not achievable under current conditions.

Trajectory Direction: DEGRADED / STABLE

Assessed trajectory is Degraded but stable. Sanctions impose meaningful financial friction (blocked Western payment rails, secondary sanctions risk for clients, SDN-listed Bitcoin address) but do not impair the underlying technical infrastructure. As long as Volosovik and Zatolokin remain at large in Russia, the operated-hardware DC Kirishi is operational, and Russian clients continue to pay in cryptocurrency outside OFAC jurisdiction, core functionality persists. Potential disruptive catalysts include: Russian domestic prosecution (assessed low probability), operator-level defection or internal disruption, or loss of key upstream peers forcing routing changes.

Mandatory Intelligence Gaps

Post-Sanctions Operational Tempo

Whether Media Land has experienced meaningful client attrition, pricing changes, or capacity reduction following November 2025 sanctions is unknown. Internal data post-March 2025 leak is not available in open sources.

New Entity / ASN Registration Activity

No confirmed post-sanctions ASN registrations or new entity registrations by Volosovik or associates have been documented, unlike Aeza Group's documented evasion strategy. This gap should be monitored via RIPE NCC WHOIS and Russian corporate registry.

Full Hosted Client Roster

The March 2025 Media Land internal data leak is understood to be comprehensive, but full analysis has not been publicly published. The complete client list beyond the named ransomware groups is unknown in open sources.

Pankova and Kozlov Functional Roles

OFAC designations establish legal status but do not specify job titles, reporting relationships, or operational responsibilities for Pankova (legal/financial) and Kozlov (associated). Understanding whether Kozlov holds a technical infrastructure role (e.g., DC Kirishi management) would refine the operational succession picture.

Volosovik Current Location Confirmation

Assessed as St. Petersburg, Russia, based on Media Land LLC registration address and Intel 471 2018 relocation reporting. No post-2019 confirmed location information in open sources.

Cash-Out Venue Mapping

Specific exchanges, OTC desks, or money services businesses used by Media Land for cryptocurrency cash-out are not identified in open sources (contrast: ZServers cash-out via Garantex is confirmed). This represents a key financial intelligence gap for tracing proceeds.

Recent Reporting

January 15, 2026
Analyst1 publishes "Infrastructure in the Shadows" (author: Anastasia Sentsova), correlating BlackBasta chat leak and Media Land internal data leak to document the operational relationship between Yalishanda and BlackBasta, including Zatolokin's dual role and lapa salary payments. analyst1.com
November 19, 2025
OFAC, UK FCDO, and AU DFAT announce coordinated trilateral sanctions against Media Land network (4 entities, 4 individuals). FBI coordination noted. CISA releases simultaneous Five Eyes BPH guidance. Treasury.gov
April 7, 2025
PRODAFT publishes thread identifying Medialand as LARVA-34 and analyzing the March 28 data leak, noting the hosted infrastructure far beyond ransomware including code-signing, phishing, and data exfiltration systems. PRODAFT on X
March 28, 2025
Unknown actor leaks Media Land internal database. Volosovik acknowledges breach on hacking forum. Data included server configs, client purchase history, user accounts, and cryptocurrency addresses. Cybersecurity-help.cz reports on the incident.
February 2025
ExploitWhispers leaks approximately 200,000 BlackBasta Matrix messenger messages on Telegram, revealing Zatolokin as "Slim Shady" and his role as Media Land's liaison to BlackBasta's operational leadership.

Sources

[1]KrebsOnSecurity, "Meet the World's Biggest 'Bulletproof' Hoster," July 16, 2019. krebsonsecurity.com
[2]UK Government, "UK smashes Russian cybercrime networks responsible for attacks on UK businesses," November 19, 2025. gov.uk
[3]Analyst1 (Anastasia Sentsova), "Infrastructure in the Shadows," January 15, 2026. analyst1.com
[4]PRODAFT, "Threat Actor Leaks Internal Data from Medialand (LARVA-34)," April 7, 2025. x.com/PRODAFT
[5]Cybersecurity-help.cz, "One of largest bulletproof web hosting providers Media Land got its internal data leaked," 2025. cybersecurity-help.cz
[6]Chainalysis, "U.S., U.K., and Australia Target Russian Cybercrime Infrastructure," November 2025. chainalysis.com
[7]U.S. Department of the Treasury / OFAC, "United States, Australia, and United Kingdom Sanction Russian Cybercrime Infrastructure Supporting Ransomware," November 19, 2025. treasury.gov
[8]Bleeping Computer (Sergiu Gatlan), "Russian bulletproof hosting provider sanctioned over ransomware ties," November 19, 2025. bleepingcomputer.com
[9]Australian Government (AFP / DFAT), "Sanctions imposed on Russian cybercrime service providers for malicious cyber activity," November 19-20, 2025. afp.gov.au
[10]TRM Labs, "US, Australia, and UK Sanction Russian Cybercrime Infrastructure Supporting Ransomware," November 20, 2025. trmlabs.com
[11]Elliptic, "US cracks down on Russian bulletproof hosting services enabling cybercrime," November 2025. elliptic.co
[12]Reuters, "US, UK and Australia sanction Russian cyber firms over ransomware support," November 19, 2025. reuters.com
[13]Hurricane Electric BGP Toolkit, AS206728 MEDIALAND-AS. Accessed June 6, 2026. bgp.he.net
[14]CybersecurityNews, "Inside the Leaks that Exposed the Hidden Infrastructure Behind a Ransomware Operation," 2025. cybersecuritynews.com
[15]National Crime Agency (UK), "Prolific bulletproof hosting service sanctioned by the UK and allies," November 2025. nationalcrimeagency.gov.uk