Key Findings

• The U.S. Treasury Department, along with officials from the U.K. and Australia, imposed sanctions on two Russian bulletproof hosting providers and their key personnel.

• The targeted providers, Media Land and its subsidiaries, are accused of supporting ransomware operations and other cybercrime activities.

• The sanctions also targeted individuals and companies that helped the previously sanctioned Aeza Group evade sanctions and reconstitute their operations.

• Cybercrime authorities from the Five Eyes alliance and the Netherlands released a mitigation guide to help defenders thwart cybercrime enabled by bulletproof hosting infrastructure.

Background

• Bulletproof hosting providers sell specialized servers and infrastructure designed to evade detection and law enforcement efforts, enabling various cybercrime activities.

• Media Land, a St. Petersburg-based bulletproof hosting provider, has been used by major ransomware groups like LockBit, BlackSuit, and Play.

• Media Land's infrastructure has also supported DDoS attacks on U.S. companies and critical infrastructure.

Sanctions on Media Land

• OFAC designated Media Land, its general director Aleksandr Volosovik, employee Kirill Zatolokin, and other affiliated entities for contributing to cyber activities threatening U.S. national security.

• Yulia Pankova was designated for assisting Volosovik financially and legally.

• Subsidiaries Media Land Technology and Data Center Kirishi were also sanctioned as entities controlled by Media Land.

Targeting Aeza Group's Evasion Efforts

• After Aeza Group and its leaders were sanctioned in 2025, the group launched a rebranding effort to hide its links to new infrastructure.

• The latest sanctions target companies and individuals, such as Hypercore Ltd., Maksim Makarov, and Ilya Zakirov, for helping Aeza Group evade the previous sanctions.

• Smart Digital Ideas (Serbia) and Datavice (Uzbekistan) were also designated for supporting or being controlled by Aeza.

Mitigation Efforts

• Cyber authorities from the Five Eyes alliance and the Netherlands released a mitigation guide to help defenders thwart cybercrime enabled by bulletproof hosting infrastructure.

• The guide urges ISPs and network defenders to block malicious IP ranges and addresses, supported by curated threat lists and other security measures.

• Disrupting bulletproof hosting services requires a nuanced approach, as they are integrated into legitimate internet infrastructure, and actions may impact legitimate activity.

Sources

• https://cyberscoop.com/bulletproof-hosting-providers-sanctions-mitigation-media-land/

• https://securityaffairs.com/184871/cyber-crime/coordinated-sanctions-hit-russian-bulletproof-hosting-providers-enabling-top-ransomware-ops.html

• https://x.com/fridaysecurity/status/1991259455258755160