U.S., U.K., and Australia Target Russian Cybercrime Infrastructure Behind Global Ransomware Operations

Updated: November 19, 2025 | Wellington Intelligence Analysis Unit

Overview

The United States, United Kingdom, and Australia have launched a coordinated enforcement action targeting Russian cybercrime infrastructure responsible for supporting global ransomware operations. The sanctions focus primarily on Media Land LLC, a major bulletproof hosting provider, along with several associated entities and individuals connected to large-scale cybercriminal activity.

This joint action demonstrates the growing international shift toward dismantling the infrastructure layer that enables cybercrime—rather than exclusively pursuing individual threat actors.

Key Findings

1. Sanctions on Media Land Network

OFAC, together with U.K. and Australian authorities, designated Media Land LLC and its affiliated companies—Media Land Technology LLC, Data Center Kirishi LLC, and ML.Cloud LLC—for providing resilient hosting services used by ransomware groups, phishing operators, malware distributors, DDoS actors, and other cybercriminals.

These providers knowingly ignored abuse complaints, giving criminals persistent, takedown-resistant environments to operate globally.

Several of the sanctioned entities were created shortly after the July 2025 enforcement against AEZA Group, indicating deliberate attempts to rebuild infrastructure under new corporate structures.

2. Links to AEZA Group

Multiple individuals tied to AEZA Group LLC—previously sanctioned by OFAC—were identified within the Media Land ecosystem.Newly established companies in Uzbekistan and the United Kingdom appear to have been designed to continue operations following earlier sanctions, demonstrating how criminal infrastructure rapidly adapts to enforcement pressure.

3. Cryptocurrency Infrastructure Supporting Cybercrime

The sanctions include a Bitcoin address linked to Aleksandr Volosovik (aliases “Ohyeahhellno,” “podzemniy1,” “Yalishanda”).Volosovik’s infrastructure has been tied to:

• Underground crypto exchanges

• Laundering-as-a-service providers

• Access brokers and malware-as-a-service sellers

• Ransomware operators, including affiliates of the sanctioned LockBit administrator Dmitry Khoroshev

Although only one address appears in the formal designation, analysts are tracking thousands of addresses and millions in transactions attributed to this ecosystem.

4. International Coordination

The U.S., U.K., and Australia conducted this action jointly, reflecting the global scale of bulletproof hosting networks and the need for coordinated disruption.

The sanctions include secondary sanctions risks under Ukraine-/Russia-related regulations, meaning non-U.S. persons engaging with the designated entities may be exposed to enforcement.

5. Pattern of Targeting Criminal Infrastructure

This action follows a series of OFAC designations aimed at dismantling cybercrime infrastructure:

• July 2025: AEZA Group LLC

• February 2025: ZServers

Targeting infrastructure—rather than individual actors—allows authorities to disrupt multiple criminal networks simultaneously.

Global Drug Trafficking Network Also Sanctioned

OFAC separately sanctioned Ryan James Wedding, a former Canadian Olympic snowboarder, for orchestrating a large-scale cocaine trafficking network operating across Mexico, Colombia, the U.S., and Canada.Wedding is linked to:

• Extreme violence

• Dozens of murders across multiple countries

• Large-scale laundering operations using USDT (TRX)

Three TRX addresses associated with Wedding were sanctioned. Over $263 million in USDT_TRX has been tied to wallets under his control.

On-chain activity shows connections to:

• China-based chemical manufacturers (precursor suppliers)

• Intermediary laundering wallets associated with cartel activity

• A global network of affiliates breaking funds into smaller transfers to obscure tracing

  
  

Compliance Impact for Cryptocurrency Businesses

Organizations should implement enhanced controls, including:

• Screening all transactions against updated OFAC sanctions lists

• Monitoring for exposure to known bulletproof hosting providers (Media Land, AEZA Group, ZServers)

• Strengthened due diligence for clients offering hosting, infrastructure, or cybersecurity services

• Identification of transaction patterns consistent with infrastructure-level cybercrime activity

This enforcement action reinforces the growing expectation that crypto platforms, fintech companies, and digital asset service providers maintain proactive, intelligence-driven sanctions compliance.

Disclaimer

This analysis is provided for informational purposes only and does not constitute legal, tax, or financial advice. Organizations should consult their professional advisors before making operational or compliance decisions.