A court in the Southern District of Indiana has sentenced Aleksei Volkov, a Russian citizen, to 81 months in prison for assisting major cybercrime groups, including the Yanluowang ransomware group, in carrying out numerous attacks against US companies. The 26-year-old's conviction reflects a deliberate prosecutorial shift: instead of pursuing only those who deploy ransomware, authorities are now going after the specialists who sell them the keys to corporate networks.
Volkov operated as what the cybersecurity industry calls an initial access broker. In legal terms, this means he was a criminal specialist who identified vulnerabilities in corporate computer systems, gained unauthorised access, and then sold that foothold to ransomware gangs. Volkov obtained and sold access to compromised networks, sometimes charging a flat fee and other times taking a cut of any ransom paid. In one instance, he received roughly 20 percent of a $500,000 payout; in another, about 16 percent of a $1 million ransom.
For ransomware crews, this division of labour is economically rational. Court filings say Volkov helped enable intrusions into at least seven US organisations, with ransomware crews moving in after access had been secured. By that stage, the hardest part of the job – getting inside – was already achieved. The access broker model allows ransomware operations to scale without requiring every operative to possess deep hacking expertise. Some specialize in initial intrusion; others handle encryption, data theft, and ransom negotiations.
Police in Rome, Italy arrested Volkov, and he was extradited to the United States. He pleaded guilty to charges from both indictments. The cross-border prosecution demonstrates the level of effort authorities are now willing to invest in targeting these upstream facilitators.
The scale of the operation is substantial. Volkov facilitated dozens of ransomware attacks throughout the United States, causing over $9 million in actual losses and over $24 million in intended losses. As part of his plea agreement, Volkov agreed to pay $9,167,198.19 in restitution to known victims.
The Yanluowang gang, Volkov's primary customer, represents the type of professionalized threat that modern ransomware operations have become. Yanluowang was first spotted in 2021 using aggressive "triple extortion" tactics whereby data would be stolen and encrypted and then victims threatened with DDoS as well as "calls to employees and business partners" if they didn't pay up. Despite the name, which references a Chinese deity linked to the underworld, the group was subsequently found to be Russian. The group's attack on Cisco demonstrated the reach of operations enabled by brokers like Volkov.
Why target access brokers rather than just the crews deploying ransomware? Prosecuting access brokers directly attacks the supply chain that makes large-scale ransomware campaigns economically viable. Targeting that upstream layer forces criminal networks to either develop intrusion capabilities in-house – a significant barrier – or risk greater exposure by broadening their supplier relationships.
The strategy contains genuine logic, even if reasonable people might debate its effectiveness. Building intrusion capabilities in-house is expensive and requires specialised skills. If authorities successfully prosecute enough brokers, the cost and risk of ransomware operations rise. Some defenders argue this is precisely where pressure should be applied. Others contend that prosecuting foreign nationals living in Russia or elsewhere faces practical limits; international extradition remains rare, and many operators never face accountability.
Volkov's case also highlights how the ransomware economy has matured into something resembling legitimate business structures. The prosecution said Volkov was engaged in online chats with an individual described in court documents as co-conspirator 1, between July 2021 and November 2022, during which they routinely discussed ransomware attacks, and how Volkov would be compensated for his help. This typically involved a one-off payment for providing the credentials used to gain access to a victim's network, and prosecutors said Volkov regularly also negotiated a cut of the resulting ransom payments. The language of contracts, percentages, and advance payments pervades the evidence.
The conviction and substantial restitution order serve notice that the United States intends to pursue these infrastructure operators. Whether this approach disrupts the broader ransomware ecosystem, or simply increases the cost of doing business for these criminal enterprises, remains an open question. What is clear is that defending against ransomware now requires authorities to think about the supply chains that enable it, not just the final attack itself.