Aleksei Volkov, a 26-year-old Russian national from St. Petersburg, has been sentenced to 81 months in federal prison by a court in the Southern District of Indiana. Volkov was found to have assisted major cybercrime organizations, including the Yanluowang ransomware group, in attacks that resulted in more than $9 million in confirmed losses and over $24 million in intended losses across the United States. The sentencing marks the conclusion of a case that spanned multiple US jurisdictions and involved an international arrest.
Volkov operated as an “initial access broker,” a role in which he gained unauthorized entry into corporate networks and sold that access to other criminal actors. Those buyers then deployed ransomware to encrypt victims’ data and demanded cryptocurrency payments — sometimes reaching tens of millions of dollars — in exchange for restoring access and refraining from publishing stolen information on leak sites. Court documents describe this as a structured criminal enterprise in which Volkov received a share of the ransom proceeds.
Authorities in Rome, Italy, arrested Volkov before he was extradited to the United States to face charges. On November 25, 2025, he pleaded guilty to six counts in total. Four counts stemmed from the Southern District of Indiana indictment and covered unlawful transfer of a means of identification, trafficking in access information, access device fraud, and aggravated identity theft. Two additional counts from an Eastern District of Pennsylvania indictment addressed conspiracy to commit computer fraud and conspiracy to commit money laundering.
As part of his plea agreement, Volkov acknowledged that he and his co-conspirators demanded tens of millions of dollars in ransom and ultimately received millions. The court ordered him to pay nearly $9.2 million in restitution to known victims and to forfeit equipment used in carrying out his crimes. The case illustrates the layered structure of modern ransomware operations, in which specialists handle distinct roles such as access brokering, malware deployment, and payment processing.
Ransomware activity continues to present challenges for the broader cryptocurrency ecosystem, which is frequently used as the payment mechanism in such attacks. According to Chainalysis’ 2026 Crypto Crime Report, on-chain ransomware payments totaled $820 million in 2025, representing an 8% decline year-on-year. However, claimed attacks rose by 50% over the same period, and the median ransom payment surged 368% year-over-year to nearly $60,000, suggesting that while fewer payments were completed, those that were made involved larger sums.
In a notable technical development, ransomware operators have begun incorporating blockchain smart contracts into their distribution infrastructure. The DeadLock ransomware strain, for example, uses Polygon smart contracts to rotate and distribute proxy server addresses, while EtherHiding targets smart contracts on BNB Smart Chain and Ethereum. These methods reflect an ongoing effort by cybercriminals to exploit decentralized infrastructure in ways that complicate detection and takedown efforts.
Originally reported by Decrypt.
