U.S. federal prosecutors have unsealed criminal charges against three Russian nationals accused of operating so-called bulletproof hosting services that allegedly helped ransomware gangs and other cybercriminals carry out attacks causing more than $62 million in losses worldwide. Prosecutors say the infrastructure enabled malware distribution, phishing campaigns, command-and-control servers, and other criminal operations while deliberately resisting law enforcement takedown efforts.
According to the indictment, the defendants operated two hosting services known as Media Land and ML.Cloud. Authorities allege the companies advertised themselves as providers willing to ignore abuse complaints and legal requests, allowing customers to keep malicious infrastructure online even after it had been linked to cybercrime. The services reportedly leased servers in several countries, including the United States, the Netherlands, Finland, and China, in addition to Russia.
Prosecutors allege the hosting platforms were used by multiple ransomware groups, including operators behind LockBit, BianLian, Medusa, and other malware campaigns. Investigators say the infrastructure also supported phishing attacks, information-stealing malware, botnets, and command-and-control servers used to manage compromised systems.
The criminal case follows coordinated action taken by U.S. authorities in late 2025, when the Treasury Department imposed sanctions on Media Land and associated individuals for allegedly providing services that enabled ransomware and other cybercriminal operations. Those sanctions were coordinated with the United Kingdom and Australia as part of a broader effort to disrupt the infrastructure supporting global cybercrime.
Bulletproof hosting providers occupy a key role in the cybercrime ecosystem by offering servers and network infrastructure that intentionally remain online despite abuse reports or law enforcement requests. Unlike legitimate hosting companies, these services are accused of marketing themselves to cybercriminals by promising not to suspend malicious customers or cooperate with investigations.
The three defendants remain at large and are believed to be in Russia. Because the United States has no extradition treaty with Russia, the likelihood of them appearing in a U.S. courtroom depends on whether they travel to a country willing to execute the arrest warrants. U.S. officials said the charges are intended to disrupt the infrastructure supporting ransomware operations and increase pressure on individuals who provide technical services to cybercriminal organizations.
