CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Yanluowang Ransomware Initial Access Broker Pleads Guilty

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Aleksey Olegovich Volkov, a 26-year-old Russian national from St. Petersburg, was sentenced to 81 months in prison for his role as an initial access broker (IAB) facilitating ransomware attacks. Volkov pleaded guilty to multiple charges, including conspiracy to commit computer fraud and money laundering, and must pay at least $9.2 million in restitution to victims. Between July 2021 and November 2022, Volkov breached corporate networks and sold access to ransomware groups, including Yanluowang, resulting in extortion attempts totaling $24 million. He was arrested in Rome in 2024, extradited to the U.S. in 2025, and admitted to working with several major cybercrime groups. Yanluowang, a Russian ransomware operation unmasked in 2022, employed 'triple extortion' tactics and claimed victims such as Cisco and Walmart. Volkov’s activities as an IAB were part of a broader cybercrime supply chain, enabling multiple ransomware-as-a-service (RaaS) groups to accelerate attacks by purchasing network access. Investigators linked Volkov’s identity through digital evidence, including Apple iCloud data and cryptocurrency records, while chat logs and stolen data provided further confirmation of his involvement. His case highlights the interconnected nature of cybercriminal ecosystems, where access brokers, RaaS operators, and affiliates collaborate to maximize financial gain and operational efficiency.

Timeline

  1. 10.11.2025 21:12 2 articles · 4mo ago

    Yanluowang Ransomware Initial Access Broker Pleads Guilty

    Aleksey Olegovich Volkov was sentenced to 81 months in prison for his role as an initial access broker facilitating ransomware attacks, including those by the Yanluowang group. Additional charges include unlawful transfer of identification, trafficking in access information, access device fraud, and aggravated identity theft. Volkov pleaded guilty in multiple U.S. courts before case consolidation in Indiana, and must pay at least $9.2 million in restitution. Investigators linked his identity through digital evidence, including Apple iCloud data and cryptocurrency records, while chat logs and stolen data confirmed his involvement. Volkov was arrested in Rome in 2024 after indictment in 2023, extradited to the U.S. in 2025, and admitted to working with several major cybercrime groups beyond Yanluowang, enabling RaaS operations through access sales.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Phobos Ransomware Suspect Arrested in Poland

Polish authorities have arrested a 47-year-old man suspected of ties to the Phobos ransomware group. The arrest is part of "Operation Aether," a broader international effort coordinated by Europol. The suspect was found with stolen credentials, credit card numbers, and server access data, which could facilitate ransomware attacks. The suspect faces charges under Article 269b of Poland's Criminal Code, with a maximum prison sentence of five years if found guilty. Operation Aether has targeted Phobos-linked individuals at multiple levels, including backend infrastructure operators and affiliates involved in network intrusions and data encryption. The operation has led to the extradition of a key Phobos administrator to the United States and the seizure of 27 servers in Thailand. A Russian national, Evgenii Ptitsyn, pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation. Ptitsyn was extradited from South Korea in November 2024 and is facing up to 20 years in prison. The Phobos ransomware gang has collected over $39 million from more than 1,000 victims worldwide.

Open in new tab

Jordanian Cybercriminal Admits Selling Access to 50 Enterprise Networks

Feras Khalil Ahmad Albashiti, a 40-year-old Jordanian national residing in Georgia, pleaded guilty in a US court to selling unauthorized access to at least 50 compromised enterprise networks. The access was sold to an undercover agent on an underground cybercriminal forum. Albashiti, known online as 'r1z,' received payment in cryptocurrency. He faces up to 10 years in prison and a $250,000 fine, with sentencing scheduled for May 11, 2026. The Justice Department's Office of International Affairs secured Albashiti's extradition from Georgia in July 2024. Initial access brokers like Albashiti are critical middlemen in the cybercrime ecosystem, providing other threat actors with the credentials needed to breach victims' networks and drop malicious tools to steal data, deploy ransomware, or conduct espionage.

Open in new tab

Black Basta Leader Identified and Added to Interpol's Red Notice List

Law enforcement in Ukraine and Germany have identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the leader of the Black Basta ransomware gang. Nefedov, known by multiple aliases, has been added to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Ukrainian police, in collaboration with German authorities, identified two additional individuals involved in initial network breaches and privilege escalation for ransomware attacks. These individuals were found to be 'hash crackers', specializing in extracting passwords from account databases. Raids in Ukraine seized digital storage devices and cryptocurrency assets. Black Basta has targeted over 500 companies globally and is estimated to have earned hundreds of millions of dollars in cryptocurrency. Nefedov is believed to have ties to Russian intelligence agencies and was arrested in Armenia but secured his freedom. The group's internal chat logs leaked, revealing its structure and key members, and its data leak site was taken down in February 2025. Former affiliates may have migrated to the CACTUS ransomware operation.

Open in new tab

Ransomware extortion totals $2.1B from 2022 to 2024, FinCEN reports

FinCEN's report reveals that ransomware gangs extorted over $2.1 billion from 2022 to 2024, with a peak in 2023 followed by a decline in 2024 due to law enforcement actions against major gangs like ALPHV/BlackCat and LockBit. The report details 4,194 ransomware incidents, with manufacturing, financial services, and healthcare being the most targeted industries. The top ransomware families, including Akira, ALPHV/BlackCat, and LockBit, were responsible for the majority of attacks and ransom payments, with Bitcoin being the primary payment method. Recently, the U.S. Department of Justice charged Angelo Martino, a former DigitalMint employee, for his involvement in a scheme with the BlackCat (ALPHV) ransomware operation. Martino shared confidential information with BlackCat operators and was directly involved in ransomware attacks alongside accomplices Kevin Tyler Martin and Ryan Goldberg. The defendants operated as BlackCat affiliates, demanding ransom payments and threatening to leak data stolen from victims' networks.

Open in new tab

Conti Ransomware Member Extradited from Ireland to US

Oleksii Oleksiyovych Lytvynenko, a 43-year-old Ukrainian national, has been extradited from Ireland to the United States and appeared in a Tennessee court on charges related to the Conti ransomware operation. He is accused of conspiring to deploy Conti ransomware, extorting over $500,000 in cryptocurrency from victims in the Middle District of Tennessee, and publishing stolen information. The Conti ransomware operation has been linked to over 1,000 victims worldwide, with ransom payments exceeding $150 million as of January 2022. Lytvynenko faces charges that could lead to 25 years in prison, including 20 years for wire fraud conspiracy and 5 years for computer fraud conspiracy. He was arrested in July 2023 by Irish authorities and detained until his extradition. The Conti group, initially a ransomware operation, evolved into a larger cybercrime syndicate, controlling multiple malware operations. After shutting down, its members have infiltrated other cybercrime groups. The FBI estimates Conti's malware was used in more critical infrastructure attacks than any other ransomware variant.

Open in new tab