A Russian national is set to plead guilty to several charges at the end of the month for his role as a participant in multiple Yanluowang ransomware attacks.
Last week, federal prosecutors unsealed court documents for Aleksey Olegovich Volkov, a 25-year-old who was arrested in Rome two years ago.
Court documents show evidence proving Volkov served as an initial access broker for the ransomware gang — breaking into the network of victims and then offering his access for a percentage of the ransom. The court documents were first spotted by reporter Seamus Hughes.
The indictment lists at least eight victims, two of which paid hackers a total of about $1.5 million to unlock their systems. Volkov received a cut of more than $256,000. Prosecutors said he also earned thousands from offering other hackers access to the companies he had infiltrated.
After his 2023 arrest in Rome, Volkov was extradited to the U.S. and on October 29, 2025 he agreed to a plea deal that will be signed at a federal court in Indiana on November 25 and his sentencing will take place at a later date. He is facing decades in prison on charges of hacking into computers, stealing information and attempting to extort companies.
As part of the plea deal, Volkov agreed to pay more than $9 million in restitution to at least six of the victims.
“The defendant admits being the [initial access broker] for the Yanluowang ransomware attacks against Victims 3 through 6, as well as other potential victims during the conspiracy, and knew that he was providing access to victim networks to his conspirators for the purpose of attacking them with ransomware,” the plea deal stated.
“The defendant admits that he was paid a portion of the ransomware proceeds. The defendant admits that the conspirators divided the ransom payments amongst themselves, using numerous cryptocurrency transactions to conceal their identities and obfuscate the source of the funds.”
chubaka.kor
From July 2021 to November 2022, Volkov worked with members of the Yanluowang ransomware gang on several attacks targeting U.S.-based organizations.
He helped the group with their initial access and also launched distributed denial-of-service (DDoS) attacks as well as other threatening tactics to force victims to pay ransoms. Some companies said executives received threatening calls from Yanluowang members demanding they pay ransoms.
Victims included banks, telecommunications companies and engineering firms in Pennsylvania, California, Michigan, Illinois, Georgia and Ohio.
The FBI was able to obtain a server that showed messages between a member of the ransomware gang and an account going by the name “chubaka.kor.” Many of the messages showed “chubaka.kor” offering the ransomware gang access to victim networks for a price.
The FBI traced the ransom payments back to cryptocurrency addresses belonging to an account owned by “Alekseq Olegovi3 Volkov.” The cryptocurrency exchange confirmed that the account was verified with a Russian passport in the name of Aleksey Volkov with a birthdate of March 20, 2000.
Using the email account tied to that cryptocurrency wallet, the FBI found a Twitter account which eventually led them to an Apple ID belonging to the email address alekseyvolkov4574@icloud[.]com.
The FBI noted that they found evidence Volkov had also been communicating with members of the LockBit ransomware gang.
Cybersecurity firm Symantec first discovered the Yanluowang group in October 2021, and it quickly got a reputation for the skill in which it targeted Western companies, such as Cisco and Walmart.
The group disbanded at the end of 2022 when its leak site was hacked and the contents of one of the group’s discussion channels – some 2,700 messages sent between January and September 2022 – were uploaded to a website.
Using the leaked chats, researchers and law enforcement confirmed a long-running suspicion — that despite the name, Yanluowang members were just masquerading as Chinese hackers.
At least one member of the group was believed to be a member at the Russian Federation Ministry of Defense.
Kaspersky researchers found a vulnerability in the Yanluowang encryption algorithm and released a free decrypter in 2022.
Recorded Future
Intelligence Cloud.
Learn more.
