Guilty Plea of Yanluowang Ransomware Initial Access Broker
Aleksei Olegovich Volkov, a Russian national, pleaded guilty in the United States to charges related to his role as an initial access broker (IAB) for the Yanluowang ransomware group. Volkov provided access to at least seven U.S. organizations between July 2021 and November 2022, enabling the deployment of ransomware that resulted in ransom demands ranging from $300,000 to $15 million. He received a percentage of the ransom payments, including $94,259 from a $500,000 ransom and $162,220 from a $1 million ransom, and was ordered to pay nearly $9.2 million in restitution to affected organizations. Volkov's activities were uncovered through digital forensics, including chat logs, cryptocurrency records, and social media accounts, and he was extradited to the U.S. after being apprehended in Rome.
The indictment and plea agreement detail Volkov's collaboration with co-conspirators, his use of aliases such as "chubaka.kor," and his involvement in negotiating ransom payments and providing network credentials to the Yanluowang group. The attacks affected a range of U.S. businesses, including engineering firms, banks, and telecommunications providers, with some victims able to restore from backups and avoid ransom payments. Volkov faces up to 53 years in prison for charges including access device fraud, aggravated identity theft, and conspiracy to commit money laundering and computer fraud.
Timeline
Nov 10, 2025
Volkov pleads guilty in U.S. ransomware access-broker case
On or before November 10, 2025, Volkov pleaded guilty in the United States to multiple charges tied to acting as an initial access broker for Yanluowang ransomware attacks. Court filings said he profited from ransom payments, and he was ordered to pay more than $9.1 million in restitution to six victims; sentencing had not yet been set.
Jan 1, 2024
Volkov extradited to the United States
After his arrest in Italy, Volkov was extradited to the U.S. in 2024 to face prosecution over his alleged role in facilitating Yanluowang ransomware intrusions. U.S. investigators had tied him to the operation using iCloud data, crypto exchange records, social media accounts, and recovered server evidence.
Jan 1, 2024
Volkov arrested in Italy
Italian authorities arrested Volkov in January 2024 in connection with his alleged role as an initial access broker supporting Yanluowang ransomware attacks. The arrest preceded his transfer to the United States to face fraud, identity, and money-laundering-related charges.
Jul 1, 2021
Volkov brokers access for Yanluowang attacks on U.S. companies
From July 2021 through November 2022, Aleksey Olegovich Volkov allegedly breached corporate networks and sold stolen employee credentials and other access to the Yanluowang ransomware group. Prosecutors say this enabled attacks on at least seven or eight U.S. organizations, with ransom demands ranging from $300,000 to $15 million.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Guilty Plea of Yanluowang Ransomware Initial Access Broker
Aleksei Olegovich Volkov, a Russian national operating under the alias 'chubaka.kor', pleaded guilty to hacking into U.S. companies and selling network access to ransomware groups, specifically those deploying the Yanluowang ransomware. Volkov used various techniques to compromise employee accounts, escalate privileges, and then brokered access to other cybercriminals, facilitating ransomware attacks on at least seven U.S. organizations, including a bank, a telecommunications company, and an engineering firm. Court documents reveal that two of the victims paid ransoms totaling $1.5 million in Bitcoin, with Volkov receiving a portion of the proceeds. Volkov's activities spanned from July 2021 to November 2022, after which the Yanluowang group ceased operations following a hack and leak of their internal data. He was arrested in 2024 after relocating to Rome and subsequently extradited to the United States, where he now faces up to 50 years in prison and fines up to $1 million, along with restitution to victims. The case highlights the significant role of initial access brokers in enabling ransomware operations and the ongoing law enforcement efforts to disrupt such cybercriminal supply chains.
1 months ago
Initial access broker Aleksei Volkov sentenced for enabling Yanluowang ransomware attacks
A U.S. federal court sentenced Russian national **Aleksei Volkov**, 26, to **81 months in prison** for acting as an initial access broker who helped major cybercrime groups, including the **Yanluowang** ransomware operation, compromise U.S. companies and other organizations. Prosecutors said Volkov gained unauthorized access to victim networks and sold that access to ransomware operators, who then deployed malware, encrypted systems, stole data, and extorted victims through cryptocurrency ransom demands. The U.S. Department of Justice said the campaign caused more than **$9 million in actual losses** and more than **$24 million in intended losses**. Volkov was indicted in Indiana and Pennsylvania, arrested in Rome, extradited from Italy to the United States, and later pleaded guilty after the cases were consolidated. As part of the plea, he admitted hacking victim networks, stealing data, helping co-conspirators deploy ransomware, and sharing in ransom proceeds; he was also ordered to pay at least **$9,167,198.19** in restitution and forfeit equipment used in the crimes.
1 months ago
Guilty Plea of Ukrainian National for Nefilim Ransomware Attacks
Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty to conspiracy to commit computer fraud for his role in deploying Nefilim ransomware against high-revenue companies in the United States and other countries. Stryzhak and his co-conspirators generated unique ransomware executables, decryption keys, and ransom notes for each victim, targeting organizations with annual revenues exceeding $100 million and threatening to publish stolen data unless ransoms were paid. He was arrested in Spain in June 2024 and extradited to the United States, where he faces up to 10 years in prison. Authorities are still seeking his alleged co-conspirator, Volodymyr Tymoshchuk, and have announced an $11 million reward for information leading to his arrest or conviction. The Nefilim ransomware group, for which Stryzhak operated, caused millions of dollars in losses through extortion payments and damage to victim networks. The group primarily targeted companies in the United States, Canada, and Australia, conducting research on potential victims to maximize the impact of their attacks. The U.S. Department of Justice highlighted the international scope of the operation and the significant financial and reputational harm inflicted on victim organizations. Stryzhak’s guilty plea marks a significant development in ongoing efforts to disrupt major ransomware operations and bring perpetrators to justice.
1 months ago