In a significant trilateral operation on November 19, 2025, the U.S. Treasury’s Office of Foreign Assets Control (OFAC), working closely with authorities in the United Kingdom and Australia, imposed sanctions on a network of Russian bulletproof hosting providers central to worldwide cybercrime, particularly ransomware campaigns. According to insights shared in a research report, the targets included Media Land, LLC and affiliated companies such as Media Land Technology LLC, Data Center Kirishi LLC, and ML.Cloud LLC.
These entities supplied resilient internet infrastructure that ignored abuse reports and law enforcement requests, allowing malicious actors to maintain operations for ransomware, phishing, malware distribution, and DDoS attacks.
Blockchain analytics firm Chainalysis highlights how this infrastructure forms the backbone of the modern cyber kill chain.
Operators like Aleksandr Volosovik—known online by aliases including “Yalishanda,” “Ohyeahhellno,” and “podzemniy1”—provided services that supported nearly every stage, from initial access brokering to final monetization.
OFAC specifically designated one Bitcoin address tied to Volosovik (18dLDAWi8LmrHbEq3QzDJb9SLxCf4uimXB).
However, Chainalysis’s monitoring reveals thousands of related addresses handling millions of dollars in cryptocurrency flows.
On-chain patterns show these services catering to underground exchanges, laundering providers, scammers, hackers, malware-as-a-service vendors, and ransomware groups.
Notably, the network assisted affiliates of the sanctioned LockBit operation, including administrator Dmitry Khoroshev (also known as Lockbitsupp).
Reactor visualizations from Chainalysis even depict repeated payments from Volosovik’s entities to dark web marketplaces, likely for advertising his hosting offerings.
Many sanctioned entities and individuals, including Maksim Makarov and Ilya Zakirov, trace back to the AEZA Group LLC, which faced OFAC action in July 2025 for similar bulletproof hosting activities.
Several new companies, such as Uzbekistan’s Datavice MCHJ and the UK’s Hypercore Ltd., emerged immediately after that designation—pointing to deliberate rebranding efforts to evade enforcement.
This pattern echoes an earlier February 2025 action against ZServers, underscoring OFAC’s evolving strategy of dismantling enabling infrastructure rather than chasing individual threat actors alone.
The coordinated U.S.-UK-Australia effort amplifies pressure through secondary sanctions risks, complicating business for global providers and financial institutions interacting with these networks.
Separately, OFAC targeted a major drug trafficking organization led by Ryan James Wedding, a former Canadian Olympic snowboarder from the 2002 Winter Games.
Wedding and nine associates—including his wife, a Canadian jeweler, and contacts in Italy and the UK—were sanctioned for smuggling cocaine via Mexico and Colombia into the U.S. and Canada.
The network allegedly orchestrated dozens of murders across multiple continents, landing Wedding on the FBI’s Ten Most Wanted Fugitives list.
He is believed to be hiding in Mexico.
Chainalysis analysis reveals extensive stablecoin use for laundering.
Wedding’s operation received over $263 million in USDT on the TRX blockchain.
Funds were routinely fragmented into smaller transfers before consolidation, a classic layering tactic.
Tether blocked associated wallets in July 2025.
On-chain graphs further link these wallets indirectly to China-based chemical suppliers providing precursors and cutting agents, illustrating a seamless cycle where laundered proceeds quickly reinvest in the supply chain.
These developments illustrate the dual role of cryptocurrency in both enabling and exposing illicit activity.
For virtual asset service providers, Chainalysis recommends heightened screening against updated sanctions lists, vigilant monitoring of high-risk hosting payments, and enhanced due diligence in vulnerable jurisdictions.
Chainalysis concluded that by targeting the foundational layers—whether bulletproof servers or stablecoin laundering pipelines—international authorities are raising operational costs for cybercriminals and traffickers, signaling a sustained push toward ecosystem-wide disruption.