Russian hacker pleads guilty to aiding Yanluowang ransomware attacks

A Russian national has admitted to brokering corporate network access used in a string of ransomware attacks that struck US companies between 2021 and 2022.

What happened

According to BleepingComputer, Aleksey Olegovich Volkov, also known by the aliases “chubaka.kor” and “nets,” has agreed to plead guilty to federal charges for his role as an initial access broker (IAB) for the Yanluowang ransomware group. Prosecutors say Volkov breached the networks of at least eight US companies and sold access to the group, which later encrypted victims’ data and demanded ransoms ranging from $300,000 to $15 million in Bitcoin.

According to court filings, Volkov operated between July 2021 and November 2022. The FBI traced his identity through Apple iCloud data, cryptocurrency exchange records, and linked social media accounts. Investigators also recovered stolen data, ransom negotiation emails, and chat logs confirming his part in multiple attacks.

Going deeper

Volkov’s digital footprint tied him to several large-scale breaches, including those targeting a Philadelphia-based firm, a Michigan bank, an Ohio telecommunications provider, and an engineering company with offices nationwide. Two victims reportedly paid a combined $1.5 million in ransom. Blockchain analysis confirmed that parts of those payments were transferred to Bitcoin wallets associated with Volkov.

The investigation also revealed a possible connection to the LockBit ransomware group, after FBI agents found a screenshot of a chat between Volkov and a user named “LockBit” within his iCloud account. Volkov’s cooperation is expected to shed more light on how access brokers link different ransomware groups through underground markets.

Volkov was arrested in Italy in January 2024, extradited to the United States, and charged later that year. He faces up to 53 years in prison and must pay over $9.1 million in restitution to his victims.

What was said

Court documents detail Volkov’s communications with a co-conspirator, known as “CC-1,” in which he negotiated commissions in exchange for access credentials. FBI Special Agent Jeffrey Hunter stated in his affidavit that the evidence gathered, including Volkov’s personal Apple ID and linked crypto transactions, provided a clear chain connecting him to the Yanluowang attacks.

The big picture

According to The Record, Volkov’s plea agreement offers a rare inside look at how ransomware crews operate behind the scenes. The document states that “the defendant admits being the [initial access broker] for the Yanluowang ransomware attacks” and knowingly provided network access “for the purpose of attacking them with ransomware.” It also confirms that “the defendant admits that he was paid a portion of the ransomware proceeds” and that the group “divided the ransom payments amongst themselves, using numerous cryptocurrency transactions to conceal their identities and obfuscate the source of the funds.” The Record notes that Volkov agreed to pay “more than $9 million in restitution,” proving how financially devastating these attacks are for victims.

FAQs

What is an initial access broker (IAB)?

An IAB is a cybercriminal who specializes in gaining unauthorized access to corporate networks and selling those credentials to ransomware or espionage groups.

How does Yanluowang ransomware operate?

Yanluowang typically infiltrates networks through purchased access, encrypts systems, and demands multimillion-dollar payments in Bitcoin to restore data or prevent leaks.

Why is the LockBit connection significant?

LockBit is one of the most active ransomware groups globally. Evidence linking Volkov to LockBit suggests possible collaboration or overlap between major ransomware operations.

What is the role of cryptocurrency tracing in such investigations?

Blockchain forensics enables authorities to follow ransom payments across wallets, helping connect digital evidence to real-world identities, as seen in Volkov’s case.

What does this case reveal about ransomware trends?

It shows that ransomware attacks have changed into structured ecosystems, with specialized roles, from access brokers to negotiators, making them more efficient and resilient to enforcement efforts.