Russian Access Broker Gets 81 Months for Yanluowang Attacks

A federal court in Indiana sentenced Russian citizen Aleksei Olegovich Volkov to 81 months (nearly seven years) in prison for his role as an initial access broker who sold compromised network access to the Yanluowang ransomware gang and other cybercriminal groups.

The Department of Justice announced that Volkov, 26, facilitated dozens of ransomware attacks against U.S. organizations, causing over $9 million in actual losses and $24 million in intended losses. He must also pay at least $9,167,198 in restitution to identified victims.

How Initial Access Brokers Operate

Volkov's case illustrates the increasingly specialized cybercrime ecosystem. Rather than conducting end-to-end ransomware operations himself, he focused on the initial intrusion phase—exploiting vulnerabilities to breach organizational networks and then selling that access to ransomware operators.

This division of labor benefits both parties. Access brokers like Volkov can monetize their exploitation skills without managing ransomware infrastructure or victim negotiations. Ransomware gangs save time and reduce exposure by purchasing ready-made access rather than conducting their own reconnaissance and initial compromise.

The ransomware attack patterns we've tracked throughout 2026 consistently show this broker-to-operator handoff, making the prosecution of access brokers strategically important for disrupting the supply chain.

Yanluowang Connection

Volkov worked specifically with the Yanluowang ransomware crew, which targeted large enterprises across multiple sectors. According to court documents, "Volkov's co-conspirators then used the access Volkov provided to infect the affected computer networks and systems with malware," encrypting victim data and demanding cryptocurrency payments.

Yanluowang operated through 2022 and 2023 before law enforcement pressure and internal leaks disrupted operations. The gang was known for targeting high-value organizations and maintaining sophisticated negotiation tactics.

Arrest and Extradition

Italian authorities arrested Volkov in Rome on January 18, 2024. Following extradition to the United States, he pleaded guilty in November 2025 to multiple charges including:

• Unlawful transfer of means of identification
• Trafficking in access information
• Access device fraud
• Aggravated identity theft
• Two counts of computer fraud
• Conspiracy to commit money laundering

The multi-jurisdictional nature of the case—Russian national, arrested in Italy, prosecuted in Indiana—demonstrates the international cooperation required to pursue cybercriminals who operate across borders.

Second Russian Sentenced This Month

Volkov's sentencing follows another Russian national, Ilya Angelov, receiving two years in prison for managing a botnet used to launch ransomware attacks. Angelov's operation facilitated attacks against more than 70 U.S. companies, resulting in over $14 million in extortion payments.

Together, these cases signal continued U.S. law enforcement pressure on Russian cybercriminals, even when direct extradition from Russia remains impossible. Arresting suspects during international travel has become a key tactic.

Restitution and Forfeiture

Beyond the prison sentence, the court ordered Volkov to:

• Pay at least $9,167,198 to known victims
• Forfeit tools and proceeds used in or derived from the criminal activity
• Serve three years of supervised release following incarceration

The restitution figure represents only identified losses from cooperating victims. Actual damages across all affected organizations likely exceed this amount significantly.

Why This Matters

Initial access brokers represent a critical chokepoint in the ransomware ecosystem. By targeting these specialists, law enforcement can disrupt multiple downstream operations simultaneously.

For organizations, the case reinforces that preventing initial access remains the highest-leverage defensive investment. The vulnerabilities Volkov exploited to gain footholds weren't sophisticated zero-days—they were known weaknesses in external-facing systems.

Understanding how ransomware attacks unfold helps security teams prioritize the controls most likely to prevent initial compromise before access brokers can monetize the intrusion.

The sentence also demonstrates that geographic distance provides diminishing protection. Cybercriminals who assume they're safe because they operate from jurisdictions unfriendly to U.S. law enforcement face arrest risk whenever they travel internationally.