Guilty Plea of Ukrainian National for Nefilim Ransomware Attacks
Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty to conspiracy to commit computer fraud for his role in deploying Nefilim ransomware against high-revenue companies in the United States and other countries. Stryzhak and his co-conspirators generated unique ransomware executables, decryption keys, and ransom notes for each victim, targeting organizations with annual revenues exceeding $100 million and threatening to publish stolen data unless ransoms were paid. He was arrested in Spain in June 2024 and extradited to the United States, where he faces up to 10 years in prison. Authorities are still seeking his alleged co-conspirator, Volodymyr Tymoshchuk, and have announced an $11 million reward for information leading to his arrest or conviction.
The Nefilim ransomware group, for which Stryzhak operated, caused millions of dollars in losses through extortion payments and damage to victim networks. The group primarily targeted companies in the United States, Canada, and Australia, conducting research on potential victims to maximize the impact of their attacks. The U.S. Department of Justice highlighted the international scope of the operation and the significant financial and reputational harm inflicted on victim organizations. Stryzhak’s guilty plea marks a significant development in ongoing efforts to disrupt major ransomware operations and bring perpetrators to justice.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Stryzhak's sentencing is scheduled for May 2026
Following his guilty plea, Stryzhak faces a maximum sentence of 10 years in prison. Court reporting indicates his sentencing is scheduled for May 6, 2026.
Artem Stryzhak pleads guilty in U.S. federal court
Stryzhak pleaded guilty to conspiracy to commit computer fraud for his role in Nefilim ransomware attacks targeting high-revenue companies in the U.S. and other countries. He admitted participating in extortion schemes that encrypted systems and threatened to leak stolen data.
U.S. offers $11 million reward for Volodymyr Tymoshchuk
The U.S. Department of State announced a reward of up to $11 million for information leading to the arrest or conviction of alleged Nefilim administrator Volodymyr Tymoshchuk. He remains at large and is accused of ties to multiple ransomware strains.
Stryzhak is extradited from Spain to the United States
After his arrest in Spain, Stryzhak was extradited to the U.S. to face federal charges related to conspiracy to commit computer fraud tied to Nefilim ransomware attacks. Reports place the extradition in April 2025.
Spanish authorities arrest Artem Stryzhak in Barcelona
Stryzhak was arrested in Spain in connection with his role in Nefilim ransomware attacks against organizations in the United States and other countries. Multiple reports place the arrest in June 2024.
Artem Stryzhak joins the Nefilim ransomware operation
Stryzhak gained access to the Nefilim ransomware code in exchange for a share of ransom proceeds and began participating as an affiliate. He used customized ransomware and ransom notes for individual victims.
Nefilim ransomware is first observed
Nefilim ransomware was first observed in 2020 and is described as a successor to Nemty. The group used an affiliate model and double-extortion tactics against large enterprises.
Tymoshchuk-linked ransomware attacks hit organizations in the U.S. and Europe
According to U.S. authorities, Volodymyr Tymoshchuk was involved in ransomware operations including Nefilim, LockerGoga, and MegaCortex that attacked hundreds of organizations in the U.S. and Europe, causing millions of dollars in damage. The activity spanned from 2018 to 2021.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Ukrainian hacker admits affiliate role in Nefilim ransomware gang
bleepingcomputer.com
Open sourceNefilim ransomware hacker pleads guilty to computer fraud
therecord.media
Open sourceUkrainian National Pleads Guilty in Nefilim Ransomware Conspiracy
hackread.com
Open sourceThe $100M Stalker: Nefilim Ransomware Affiliate Pleads Guilty as DOJ Hunts Fugitive Leader
securityonline.info
Open sourceUkrainian hacker pleads guilty to Nefilim Ransomware attacks in U.S.
securityaffairs.com
Open sourceUkrainian National Pleads Guilty to Conspiracy to Use Nefilim Ransomware to Attack Companies in the United States and Other Countries
databreaches.net
Open sourceUkrainian national pleads guilty to Nefilim ransomware attacks
cyberscoop.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Guilty Plea of Yanluowang Ransomware Initial Access Broker
Aleksei Olegovich Volkov, a Russian national, pleaded guilty in the United States to charges related to his role as an initial access broker (IAB) for the Yanluowang ransomware group. Volkov provided access to at least seven U.S. organizations between July 2021 and November 2022, enabling the deployment of ransomware that resulted in ransom demands ranging from $300,000 to $15 million. He received a percentage of the ransom payments, including $94,259 from a $500,000 ransom and $162,220 from a $1 million ransom, and was ordered to pay nearly $9.2 million in restitution to affected organizations. Volkov's activities were uncovered through digital forensics, including chat logs, cryptocurrency records, and social media accounts, and he was extradited to the U.S. after being apprehended in Rome. The indictment and plea agreement detail Volkov's collaboration with co-conspirators, his use of aliases such as "chubaka.kor," and his involvement in negotiating ransom payments and providing network credentials to the Yanluowang group. The attacks affected a range of U.S. businesses, including engineering firms, banks, and telecommunications providers, with some victims able to restore from backups and avoid ransom payments. Volkov faces up to 53 years in prison for charges including access device fraud, aggravated identity theft, and conspiracy to commit money laundering and computer fraud.
Mar 21, 2026
Conti Developer Pleads Guilty for Role in Global Ransomware Campaign
Ukrainian national **Oleksii Oleksiyovych Lytvynenko** pleaded guilty in U.S. federal court to **conspiracy to commit wire fraud** for his role in the **Conti** ransomware operation, one of the most prolific cybercrime campaigns tracked by U.S. authorities. Prosecutors said Lytvynenko joined Conti by September 2021, helped develop a malware loader used to gain initial access to victim networks, and possessed data stolen from 12 victims, including eight in the United States. He was arrested in Ireland in July 2023, extradited to the United States in October 2025, and now faces up to **20 years in prison**, with sentencing scheduled for September 2026. The Justice Department said Conti targeted more than **1,000 victims** across **47 U.S. states**, Puerto Rico, Washington, D.C., and about **31 countries**, extorting more than **$150 million** in ransom payments. In one part of the case, prosecutors said Lytvynenko and co-conspirators collected about **$634,000 in Bitcoin** from two Tennessee victims and leaked stolen data from another Tennessee organization after a **$3 million** ransom demand was rejected. The plea comes as U.S. authorities continue pursuing other alleged Conti members; earlier indictments also tied the group’s breakup to successor operations including **Black Basta**, **Quantum**, **Royal**, and **BlackSuit**.
Jun 15, 2026
Phobos Ransomware Administrator Evgenii Ptitsyn Pleads Guilty in U.S. Case
U.S. prosecutors said **Evgenii Ptitsyn**, a 43-year-old Russian national described as an administrator/leader behind the **Phobos** ransomware operation, pleaded guilty to **wire fraud conspiracy** tied to a global ransomware-and-extortion scheme. Court filings and DOJ statements cited in reporting say Phobos and its affiliates victimized **more than 1,000 organizations** worldwide and extorted **over $39 million**, with victims including U.S. healthcare providers, hospitals, educational institutions, and other essential services. Ptitsyn was arrested in **South Korea** and later extradited to the United States; he faces a **maximum of 20 years** in prison. Authorities described Phobos as an affiliate-driven operation in which administrators developed and distributed the ransomware, coordinated sales via a **darknet site**, and advertised services on criminal forums/messaging platforms, while affiliates typically gained access to victim networks—often using **stolen credentials**—to steal and encrypt data and then demand payment for decryption. Reporting also described a fee/revenue model in which affiliates paid administrators for **unique decryption keys** and administrators took a cut of proceeds; Ptitsyn agreed to forfeit **$1.77 million** and pay at least **$39.3 million** in restitution. Additional context in coverage linked Phobos to related activity (including the **8Base** strain) and noted prior law-enforcement actions against other alleged members, as well as the release of a **free Phobos decryption tool** by Japanese authorities.
Mar 21, 2026