A single individual selling stolen network credentials to the right buyers can cause more damage than any ransomware group operating alone and a federal court in Indiana made that arithmetic concrete by sentencing a 26-year-old Russian citizen to 81 months in prison for precisely that role — of being an access broker.
Aleksei Volkov, of St. Petersburg, Russia, was sentenced in the Southern District of Indiana for assisting major cybercrime groups, including the Yanluowang ransomware group, in carrying out numerous attacks against U.S. companies and other organizations. Volkov facilitated dozens of ransomware attacks throughout the United States, causing over $9 million in actual losses and over $24 million in intended losses.
Volkov operated as what the cybersecurity industry calls an initial access broker, which is a specialized criminal role that sits upstream of ransomware deployment. Rather than executing attacks himself, Volkov found vulnerabilities in computer networks and systems, identified ways to access those networks and systems without authorization, and sold that illicit access to conspirators who were also cybercriminals.
Also read: Iranian State Hackers Act as Access Brokers for Ransomware Gangs, Target U.S. and Allies’ Critical Infrastructure
Those co-conspirators then used the access Volkov provided to infect the affected computer networks and systems with malware, encrypting victims’ data and preventing them from accessing it, damaging their business operations.
The conspirators then demanded that the victims pay ransom in cryptocurrency — sometimes in the tens of millions of dollars — in exchange for restoring access to the data and promising not to publicly disclose the hack or release victims’ stolen data on a leak website.
The access broker model is a critical enabler of the modern ransomware economy. By separating the intrusion skill from the extortion operation, it allows ransomware groups to scale attacks without needing every member to possess deep technical exploitation expertise. Volkov effectively ran a supply chain for cybercrime — sourcing the raw ingredient that ransomware operators cannot easily produce at volume themselves.
Volkov was arrested on January 18, 2024, in Italy after a Bitcoin transaction originating in Indianapolis tied him to the cybercrime group. He was subsequently extradited to the United States and pleaded guilty to charges including aggravated identity theft and access device fraud.
As part of his plea agreement, Volkov agreed to pay $9,167,198.19 in restitution to known victims. In addition to the 81-month prison term, he received two years of supervised probation. He had been indicted in both the Southern District of Indiana and the Eastern District of Pennsylvania.
The Yanluowang ransomware group, one of the criminal organizations Volkov supplied, previously claimed responsibility for high-profile breaches including a 2022 intrusion into Cisco’s corporate network. The group’s willingness to target major enterprise organizations shows the downstream risk that a single access broker enabling their operations can create across the entire victim landscape.
Prosecuting access brokers — rather than only the ransomware operators who deploy the final payload — directly attacks the supply chain that makes large-scale ransomware campaigns economically viable. Targeting that upstream layer forces criminal networks to either develop intrusion capabilities in-house — a significant barrier — or risk greater exposure by broadening their supplier relationships.
