A Russian national will plead guilty to acting as an initial access broker (IAB) for Yanluowang ransomware attacks that targeted at least eight U.S. companies between July 2021 and November 2022.

According to a plea agreement signed by the defendant on October 29, first spotted by Court Watch editor Seamus Hughes, Aleksey Olegovich Volkov (who used the "chubaka.kor" and "nets" aliases) breached corporate networks and sell that access to the ransomware group, which deployed ransomware to encrypt victims' data and sent ransom demands ranging from $300,000 to $15 million paid to be paid Bitcoin.

FBI investigators obtained search warrants for a server linked to the operation, recovering chat logs, stolen data, victim network credentials, as well as evidence of Yanluowang email accounts used for ransom negotiations.

They also traced Volkov's identity through Apple iCloud data (linked to an account using the alekseyvolkov4574@icloud[.]com Apple ID), cryptocurrency exchange records, and social media accounts (including a Twitter account associated with the qwerty4574@mail[.]ru email) linked to his phone number and Russian passport.

The recovered chat logs showed Volkov negotiating deals with a co-conspirator known as "CC-1" and agreeing to receive a percentage of the ransom payments in exchange for providing credentials to the victims' networks. Following these attacks, Volkov collected a percentage of the resulting $1.5 million in ransom payments.

While reviewing documents from Volkov's Apple account, investigators also found a screenshot of a chat between the defendant and a user named LockBit, suggesting a potential link to the notorious LockBit ransomware gang, according to an affidavit signed by FBI Special Agent Jeffrey Hunter.

Volkov was linked to network breaches affecting a Philadelphia-based company, an engineering firm with 19 U.S. offices, a California company, a Michigan bank, an Illinois business, a Georgia company, an Ohio telecommunications provider, and a business in the Eastern District of Pennsylvania.

Two of the victims paid a total of $1.5 million in ransoms, with blockchain analysis tracing portions of these payments to Bitcoin addresses Volkov provided to CC-1 in their chats, including $94,259 and $162,220 from two different Yanluowang attacks.

Volkov is currently facing a maximum sentence of 53 years in prison for several charges, including unlawful transfer of a means of identification, trafficking in access information, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, and conspiracy to commit money laundering. 

He will also be required to pay over $9.1 million ($9,167,198.19) in restitution to the victims of the Yanluowang attacks he was involved in. 

The Yanluowang ransomware operation was first spotted in October 2021 and has been linked to highly targeted attacks against companies worldwide. Volkov was arrested in Italy in January 2024, extradited to the United States that same year, and charged after Yanluowang stole non-sensitive files from a Cisco employee's Box folder in May 2022, but failed to encrypt its systems and collect a ransom.