Internal leaks from the ransomware group BlackBasta have exposed the critical infrastructure enabling its operations, shedding light on the shadowy ecosystem of cybercrime. These revelations, surfacing in February and March 2025, led to the identification of real identities, including Kirill Zatolokin, also known as Slim Shady, and exposed the operations of Yalishanda, a Russian business operating under the guise of Media Land. This bulletproof hosting provider served as a vital backbone for cybercriminal activities, including extensive support for the BlackBasta ransomware group.
The information emerged through two significant data dumps. The first, released by an individual calling themselves ExploitWhispers on Telegram, contained approximately 200,000 internal messages from BlackBasta, spanning from September 2023 to September 2024. This leak detailed user identities and operational communications. The second leak, attributed to an unknown actor in March 2025, provided a database linked to Media Land, revealing server configurations, client records, and cryptocurrency wallet addresses, further solidifying the connection between the seemingly legitimate business and illicit cyber activities.
The Role of Bulletproof Hosting in Ransomware Operations
Bulletproof hosting providers like Yalishanda are essential components of the modern cybercrime supply chain, offering services that are deliberately unresponsive to abuse reports. This anonymity allows ransomware operators to securely host their command-and-control servers, manage data exfiltration, and set up payment portals without fear of rapid takedown. Yalishanda’s services reportedly included server hosting, domain registration, technical support, and crucial protection against law enforcement inquiries.
The leaked BlackBasta communications indicated a substantial reliance on Media Land’s infrastructure. The ransomware group was found to be utilizing around 200 servers managed by Media Land, consuming a significant amount of bandwidth, with plans for further expansion. Kirill Zatolokin, operating as Slim Shady, served as a key technical liaison between BlackBasta and Yalishanda. His role involved managing infrastructure requests, providing technical updates, and ensuring the smooth operation of BlackBasta’s backend systems.
Messages from the leaks, verified by security analysts, show Zatolokin discussing server performance, bandwidth upgrades, and even referring to Media Land’s services as originating from a “private data center.” This indicates a level of dedicated, high-priority support furnished to BlackBasta, allowing the ransomware group to concentrate on its core attack strategies and victim engagement while outsourcing the complexities of maintaining robust and resilient infrastructure.
The Russian cybercrime landscape is characterized by a layered ecosystem where ransomware groups depend on specialized service providers. Bulletproof hosting companies form a critical layer of this network, providing the essential technical scaffolding that enables various cybercriminal operations to function effectively. Without such infrastructure providers, the scalability and persistence of ransomware attacks would be significantly hampered.
These revelations prompted swift international regulatory action. On November 19, 2025, the U.S. Department of the Treasury, in coordination with Australian and United Kingdom authorities, imposed sanctions on Media Land and its subsidiary, Data Center Kirishi. The sanctions targeted two key individuals: Aleksandr Volosovik, identified as the company’s director and known in criminal circles as Yalishanda, and Kirill Zatolokin.
Volosovik was sanctioned for marketing infrastructure services to threat actors, while Zatolokin faced repercussions for his direct involvement in supporting BlackBasta’s activities, including customer support and technical coordination. The sanctions aim to disrupt the financial and operational capabilities of these entities and individuals, signaling a concerted effort by international bodies to dismantle the support networks that fuel ransomware operations.
The exposure of these connections highlights the interconnected nature of cybercrime and the vital role of professionalized service providers. The relationship between BlackBasta and Yalishanda, facilitated by individuals like Zatolokin, represents a sophisticated criminal supply chain where specialized services are leveraged to maximize operational success. The ongoing investigations and sanctions suggest a continued focus on targeting not just the ransomware operators themselves, but also the infrastructure and service providers that enable their illicit activities.
Moving forward, authorities will likely continue to pursue individuals and entities involved in providing bulletproof hosting and related services to cybercriminal organizations. The effectiveness of these sanctions and the potential for further disruptions to ransomware infrastructure will be closely watched by the cybersecurity community. The investigation into the full extent of Yalishanda’s operations and its client base is expected to continue, which may lead to additional enforcement actions.