The U.S. Department of the Treasury, together with the UK and Australia, has announced coordinated sanctions against a network of Russian “bulletproof” hosting providers (BPH) used to run ransomware operations and repeated DDoS attacks against organisations in the U.S. and allied countries. The action focuses on Media Land, a long-standing St. Petersburg–based hosting operator, as well as several related companies and individuals who helped maintain its infrastructure.
Media Land’s role in supporting DDoS campaigns
Media Land has been a known infrastructure provider for groups behind high-impact ransomware campaigns, including Lockbit, BlackSuit and Play. According to the U.S. Treasury, Media Land’s servers have also been involved in multiple DDoS attacks targeting U.S. enterprises and critical infrastructure.
The provider operated using the typical BPH model: servers provisioned quickly, minimal verification, rapid replacement of abused resources, and active measures to evade takedowns. OFAC also sanctioned ML Cloud, Media Land Technology, and Data Center Kirishi, which host parts of the same infrastructure and are frequently used in tandem during ransomware and DDoS activity.
Leadership figures—including director Aleksandr Volosovik, known online as Yalishanda, and employee Kirill Zatolokin—were designated for running and maintaining the service, handling payments, and providing operational support to cybercriminal customers.
Continued pressure on Aeza Group
The sanctions also expand to Hypercore Ltd., a UK-based company linked to Aeza Group, which was designated earlier this year. After its initial sanctioning, Aeza attempted to rebrand and migrate infrastructure through new front companies. OFAC now lists Hypercore, along with Serbian and Uzbek entities Smart Digital Ideas DOO and Datavice MCHJ, as part of this broader sanctions-evasion effort.
Individuals behind this activity, including Maksim Makarov and Ilya Zakirov, have also been designated for facilitating infrastructure moves and establishing new payment channels.
What this means for defenders
For network defenders and service providers, this announcement reinforces a familiar pattern: large-scale DDoS operations depend heavily on resilient, obscure hosting networks with little to no oversight. Bulletproof hosting remains a key enabler because it offers the combination of bandwidth, persistence and operational freedom attackers need to launch and sustain campaigns.
Sanctioning infrastructure operators does not remove all malicious capacity from the internet, but it does increase friction for attackers. It disrupts payment flows, forces relocation, and often results in temporary instability across their hosting footprint. Defenders can expect some short-term shifts in command-and-control endpoints and DDoS orchestration nodes as these actors attempt to move workloads off the newly sanctioned networks.
Guidance for organisations
CISA and international partners have also released updated guidance for identifying and mitigating risks associated with bulletproof hosting providers. Organisations should continue monitoring for traffic patterns associated with fast-moving or frequently re-provisioned infrastructure—common indicators of BPH-backed DDoS operations.
FastNetMon will continue tracking developments in the hosting ecosystem and sharing updates as new infrastructure trends and threat behaviours emerge.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com