John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The TA551 botnet’s internal nickname was Mario Kart. Someone thought that was a good name for infrastructure that delivered ransomware to 72 US companies. Ilya Angelov co-ran it. He was sentenced this week in Detroit to two years and a $100,000 fine.
Now the other case.
Aleksei Volkov, 26, from St. Petersburg. His job was breaking into company networks and selling the access to ransomware crews. He worked with Yanluowang. Documented damage: about $9 million. He got 81 months – six years and nine months – in the Southern District of Indiana.
Same week. Very different numbers.
Part of the gap comes from circumstances. Angelov voluntarily traveled to the US. That’s not a typo. A Russian cybercriminal running an operation the security industry tracks under at least five different names walked into US jurisdiction of his own accord. The sentencing judge explicitly noted it. Voluntary surrender carries weight. Volkov, by contrast, was arrested in Rome and extradited.
But beyond how each got here, there’s the question of what each one did. Angelov ran delivery infrastructure. Volkov was an Initial Access Broker: he sold footholds. The DOJ’s sentencing math suggests it views selling the keys as more culpable than running the van that shows up afterward. Nearly seven years versus two makes that pretty clear.
Whether these convictions actually change the economics for everyone still operating is a harder question. The ransomware ecosystem isn’t visibly shrinking. But the assumption that Russian geography provides permanent cover has been wrong often enough now that it probably needs updating.