Extradition and Prosecution of Conti Ransomware Operator Oleksii Lytvynenko
Oleksii Oleksiyovych Lytvynenko, a Ukrainian national alleged to be a key member of the Conti ransomware group, was extradited from Ireland to the United States to face charges related to his involvement in global ransomware attacks. U.S. authorities accuse Lytvynenko of participating in Conti's double extortion operations between 2020 and June 2022, controlling stolen data, sending ransom notes, and extorting millions in cryptocurrency from victims worldwide, including specific incidents in Tennessee. He was arrested in Cork, Ireland, in July 2023 by Irish police at the request of the U.S., and after lengthy extradition proceedings, appeared in a Tennessee court facing charges of computer fraud conspiracy and wire fraud conspiracy, with a potential sentence of up to 25 years if convicted.
The Conti ransomware group, which replaced the Ryuk operation in 2020, became one of the most prolific and aggressive ransomware syndicates, responsible for over 1,000 attacks in the U.S. and more than 30 countries, collecting approximately $150 million in ransom payments. The group targeted critical infrastructure and high-profile organizations, exploiting vulnerabilities such as Log4j and ProxyShell. After the group disbanded in 2022, its members, including Lytvynenko, allegedly continued cybercriminal activities. The U.S. Department of Justice and FBI have highlighted Conti's significant impact on global cybersecurity, with Lytvynenko's prosecution marking a major step in international law enforcement efforts against ransomware operators.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Lytvynenko is extradited to the U.S. and appears in Tennessee court
The U.S. Department of Justice announced that Lytvynenko was extradited from Ireland and made an initial appearance in the Middle District of Tennessee on the 2023 indictment. Prosecutors said he faces federal charges carrying a potential sentence of up to 25 years in prison.
Irish extradition proceedings against Lytvynenko conclude
The extradition process in Ireland concluded in October 2025, clearing the way for Lytvynenko to be transferred to U.S. custody. This ended his detention in Ireland pending the U.S. case.
Irish police arrest Lytvynenko at U.S. request
In July 2023, An Garda Síochána arrested Lytvynenko in Ireland at the request of the United States. An Irish court then detained him pending extradition proceedings.
United States indicts Lytvynenko on Conti-related charges
A 2023 U.S. indictment charged Oleksii Oleksiyovych Lytvynenko with conspiracy to commit computer fraud and conspiracy to commit wire fraud in connection with the Conti ransomware conspiracy. The indictment later formed the basis for his extradition and initial court appearance in Tennessee.
Lytvynenko's alleged participation in Conti activity ends
Court documents allege Lytvynenko conspired to deploy Conti ransomware, steal data, and extort victims from around 2020 through about June 2022. Prosecutors say this included more than $500,000 in cryptocurrency extorted from two victims in Tennessee.
FBI estimates Conti had extorted at least $150 million
As of January 2022, the FBI estimated Conti had attacked more than 1,000 victims worldwide and collected at least $150 million in ransom payments. The DOJ cited this as evidence of the operation's scale and impact.
Conti becomes a major critical infrastructure ransomware threat
By 2021, the FBI assessed Conti was used in more critical infrastructure attacks than any other ransomware variant. The group also exploited widely abused vulnerabilities such as Log4j and ProxyShell during its campaigns.
Conti ransomware operation begins targeting victims worldwide
U.S. authorities say the Russian-based Conti ransomware operation began in 2020 and carried out intrusions, data theft, encryption, and double-extortion attacks against organizations globally. Prosecutors allege Oleksii Oleksiyovych Lytvynenko participated in this activity from around 2020.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Ukrainian extradited to US for alleged role in Conti ransomware attack
scworld.com
Open sourceUkrainian extradited to US over Conti ransomware involvement
securityaffairs.com
Open sourceConti Ransomware Operator Oleksii Lytvynenko Extradited from Ireland to Face Federal Hacking Charges
securityonline.info
Open sourceUkrainian extradited from Ireland on Conti ransomware charges
bleepingcomputer.com
Open sourceUkrainian Conti Ransomware Suspect Extradited to US from Ireland
databreaches.net
Open sourceUkrainian allegedly involved in Conti ransomware attacks faces up to 25 years in jail
cyberscoop.com
Open sourceAlleged Conti ransomware gang affiliate appears in Tennessee court after Ireland extradition
therecord.media
Open sourceUkrainian Conti Ransomware Suspect Extradited to US from Ireland
hackread.com
Open sourceUkrainian National Extradited from Ireland in Connection with Conti Ransomware
justice.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Conti Developer Pleads Guilty for Role in Global Ransomware Campaign
Ukrainian national **Oleksii Oleksiyovych Lytvynenko** pleaded guilty in U.S. federal court to **conspiracy to commit wire fraud** for his role in the **Conti** ransomware operation, one of the most prolific cybercrime campaigns tracked by U.S. authorities. Prosecutors said Lytvynenko joined Conti by September 2021, helped develop a malware loader used to gain initial access to victim networks, and possessed data stolen from 12 victims, including eight in the United States. He was arrested in Ireland in July 2023, extradited to the United States in October 2025, and now faces up to **20 years in prison**, with sentencing scheduled for September 2026. The Justice Department said Conti targeted more than **1,000 victims** across **47 U.S. states**, Puerto Rico, Washington, D.C., and about **31 countries**, extorting more than **$150 million** in ransom payments. In one part of the case, prosecutors said Lytvynenko and co-conspirators collected about **$634,000 in Bitcoin** from two Tennessee victims and leaked stolen data from another Tennessee organization after a **$3 million** ransom demand was rejected. The plea comes as U.S. authorities continue pursuing other alleged Conti members; earlier indictments also tied the group’s breakup to successor operations including **Black Basta**, **Quantum**, **Royal**, and **BlackSuit**.
Jun 15, 2026
US Sentences REvil Affiliate and Jails Karakurt Operative in Ransomware Crackdown
The United States sentenced **Yaroslav Vasinskyi** (`Rabotnik`), a Ukrainian affiliate of the **Sodinokibi/REvil** ransomware operation, to **13 years and 7 months** in prison for his role in more than **2,500 attacks** that collectively sought over **$700 million** in ransom payments. Prosecutors said the scheme encrypted victim networks, threatened to leak stolen data, and used cryptocurrency exchangers and mixing services to launder proceeds; the court also ordered more than **$16 million** in restitution. U.S. authorities said related forfeiture actions recovered assets including **39.89138522 Bitcoin** and **$6.1 million**, and credited cooperation with Polish authorities for Vasinskyi’s extradition and prosecution. In a separate but related enforcement action, **Deniss Zolotarjovs**, a Latvian national tied to the **Karakurt** extortion operation and linked by investigators to the broader **Conti** ecosystem, was sentenced to **102 months** in prison after U.S. prosecutors accused him of helping pressure victims with stolen data, reviving unresolved extortion cases, and laundering cryptocurrency. Authorities said the Russian-linked group targeted more than **54 companies worldwide**, including victims whose stolen records included sensitive medical information, and generated losses exceeding **$56 million** across 13 victims with roughly **$13 million** more paid by 41 additional companies. The cases underscore sustained cross-border law enforcement action against ransomware and data-extortion actors operating through Russia-linked criminal networks.
May 25, 2026
Latvian Karakurt Negotiator Sentenced for Conti-Linked Ransomware Extortion
A U.S. court sentenced Latvian national **Deniss Zolotarjovs** to **102 months in prison** for his role in a Russia-linked ransomware and data-extortion organization run by former **Conti** members and operating under brands including **Karakurt**, **Royal**, **TommyLeaks**, **SchoolBoys Ransomware**, and **Akira**. Prosecutors said Zolotarjovs acted as a primary negotiator and extortion specialist from June 2021 to August 2023, researching victims, analyzing stolen data, setting ransom pressure points, and taking a share of proceeds. He was arrested in Georgia in December 2023, extradited to the United States in August 2024, and later pleaded guilty to conspiracy to commit **wire fraud** and **money laundering**. The Justice Department said the group targeted more than **54 companies**, collected roughly **$15 million to $16 million** in confirmed ransom payments, and caused at least **$56 million** in documented losses across 13 victims, with total damage likely reaching **hundreds of millions of dollars**. Authorities said the operation exposed highly sensitive personal data, including children’s medical records stolen from a pediatric healthcare provider that were later used to threaten victims and even sent to hundreds of patients, while another attack forced a U.S. government entity’s **911 emergency system** offline. Court filings and reporting also said the syndicate relied on front companies, corrupt contacts, and access to Russian government databases, underscoring the professionalized and well-connected structure behind the extortion campaign.
Jun 8, 2026