The United States, the United Kingdom, and Australia have announced coordinated sanctions against several Russian companies accused of helping cybercriminals operate without interruption. These companies allegedly offered “bulletproof hosting” (BPH) services, which allow criminals to lease servers that stay online even when authorities try to shut down harmful activity.
At the centre of the sanctions is the Russian company Media Land. Officials said Media Land provided bulletproof infrastructure used by major cybercrime marketplaces and ransomware groups, including LockBit, BlackSuit, and Play. Three Media Land executives were also named: Aleksandr Volosovik, known as “Yalishanda,” Kirill Zatolokin, who handled payments, and Yulia Pankova, who managed legal and financial matters.
Authorities reported that Media Land’s servers were used in distributed denial-of-service (DDoS) attacks against US companies and key communication systems. These attacks flood a system with traffic, causing important services to stop working.
The sanctions freeze any property or assets linked to the named companies and individuals in the US, the UK, and Australia, and warn that anyone doing business with them may face additional penalties.
Additional companies linked to the network
Media Land was not the only bulletproof organisation targeted. Three related companies—Media Land Technology, Data Centre Kirishi, and ML Cloud—were also sanctioned for hosting infrastructure linked to cybercriminal activity.
According to the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), Media Land’s services helped keep harmful systems online for long periods, including servers tied to ransomware campaigns and other illegal operations.
OFAC also sanctioned Aeza Group LLC, another bulletproof hosting provider previously designated in July. After those sanctions, Aeza reportedly continued operating through a UK-based front company called Hypercore Ltd. Companies in Serbia and Uzbekistan that offered technical support to Aeza were added to the list as well.
The UK’s Foreign, Commonwealth and Development Office said that Aleksandr Volosovik had worked with well-known cybercrime groups, including Evil Corp, Black Basta, and LockBit. US officials noted that removing access to hosting services used by such groups is necessary to limit the infrastructure they depend on.
U.S. drops hammer on Mexico’s casino underworld as sanctions hit 27 cartel-linked targets
Cybersecurity agencies issue joint technical guidance
Cybersecurity agencies from the US, UK, Australia, Canada, and New Zealand released joint guidance to support the sanctions and limit the use of bulletproof hosting infrastructure. The group, known as the Five Eyes, outlined steps that internet service providers and network defenders can take to stop criminals from misusing bulletproof hosting services.
The US cyber defence agency CISA shared the guidance on X. The agency said the document explains best practices that can reduce how useful bulletproof hosting is to attackers.
The guidance recommends creating “high confidence” lists of malicious internet resources using trusted threat-intelligence feeds. It also encourages regular traffic analysis to detect unusual network activity that may indicate an attack.
Another recommendation is placing filters at network boundaries to block known harmful connections, while ensuring normal traffic is not affected. The guidance also stresses the importance of “know your customer” checks, since cybercriminals often use temporary email addresses and phone numbers to set up accounts.
Internet service providers were also advised to inform customers about malicious resource lists to help them avoid harmful online connections.
Romania on edge as U.S. sanctions threaten to freeze Lukoil’s fuel lifeline
Sanctions follow earlier action against a similar network
The latest measures continue a series of steps taken this year to disrupt online networks used by cybercrime groups. In February, the US, UK, and Australia jointly sanctioned ZServers/XHost, another Russia-based bulletproof hosting provider. Officials said the company had supported the LockBit ransomware group by supplying infrastructure used to plan attacks.
Soon after the sanctions, Dutch police seized 127 servers linked to ZServers/XHost, causing a major disruption to its operations. The incident showed how coordinated sanctions and law enforcement actions can affect criminal infrastructure.
By adding Media Land, its sister companies, Aeza Group LLC, Hypercore Ltd, and associated firms to the sanctions list, the US, UK, and Australia aim to reduce the hosting options available to cybercriminals who depend on stable platforms to carry out attacks.