Cybercrime Prosecutions: ATM Jackpotting Deportations and Ransomware Guilty Plea
U.S. authorities reported multiple enforcement actions against financially motivated cybercrime. In South Carolina, two Venezuelan nationals convicted in an ATM jackpotting scheme will be deported after serving their sentences; prosecutors said they physically accessed older ATM models, connected a laptop, and installed malware that bypassed security controls to force cash-out until the machines were emptied. The activity impacted banks across several southeastern states, with court-ordered restitution of $285,100 and $126,340 respectively, and investigators said evidence from the case contributed to a broader Nebraska indictment of dozens of individuals tied to a larger ATM-theft conspiracy.
Separately, a Russian national, Ianis Aleksandrovich Antropenko, pleaded guilty in federal court to conspiracy to commit money laundering and conspiracy to commit computer fraud and abuse for leading a ransomware operation that targeted at least 50 victims over a four-year period ending in August 2022; he faces up to 25 years in prison, financial penalties, restitution, and forfeiture, and the plea acknowledges potential immigration consequences. A third item describes convicted Bitcoin thief Ilya Lichtenstein seeking post-release work in cybersecurity, but it is not tied to the ATM jackpotting or Antropenko ransomware case and does not add incident-specific threat intelligence.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
DOJ says five other Venezuelans face immediate deportation in related ATM cases
The Justice Department also reported that five additional Venezuelan nationals are subject to immediate deportation over similar ATM jackpotting thefts across multiple U.S. states. The cases involved malware-enabled cash-outs from older ATM models affecting banks in several southeastern states.
Two Venezuelans sentenced in ATM jackpotting case and face deportation
South Carolina federal prosecutors announced that Luz Granados and Johan Gonzalez-Jimenez, convicted in an ATM jackpotting scheme using a Ploutus malware variant, will be deported after serving their sentences. Gonzalez-Jimenez received 18 months in prison and restitution, while Granados was sentenced to time served with restitution and remains in custody pending deportation.
South Carolina ATM jackpotting investigation expands to wider federal case
Evidence developed in a South Carolina ATM jackpotting investigation was shared with Nebraska authorities. That information helped support a broader federal case indicting 54 people in a related nationwide ATM jackpotting conspiracy.
Antropenko pleads guilty in Texas federal court
Antropenko pleaded guilty in the U.S. District Court for the Northern District of Texas to conspiracy to commit money laundering and conspiracy to commit computer fraud and abuse. Prosecutors said he led the ransomware conspiracy while living in Florida and California, and the Justice Department seized millions in cryptocurrency, cash, and luxury vehicles tied to the case.
Antropenko violates pretrial release conditions repeatedly
After his 2024 arrest, Antropenko violated his pretrial release conditions at least three times within a four-month period. The violations included two Southern California arrests involving dangerous behavior while under the influence of drugs and alcohol.
Antropenko arrested in the United States
U.S. authorities arrested Ianis Aleksandrovich Antropenko in 2024 in connection with the ransomware conspiracy. He was granted bail despite the flight-risk concerns that often arise in ransomware cases.
Antropenko ransomware crime spree ends
The Antropenko-led ransomware conspiracy concluded in August 2022 after four years of activity. Investigators later tied the operation to money laundering and computer fraud offenses.
Antropenko-led ransomware conspiracy begins targeting victims
A ransomware conspiracy led by Ianis Aleksandrovich Antropenko operated over a four-year period and ultimately targeted at least 50 victims using variants including Zeppelin and GlobeImposter. The campaign caused at least $1.5 million in victim losses before ending in 2022.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Criminal Sentencings for Cyber-Enabled Theft and Attacks
Recent court actions highlighted multiple **cyber-enabled crimes** resulting in prison sentences and follow-on legal measures. In the US, federal authorities announced sentencing and impending deportation of two Venezuelan nationals tied to a multi-state **ATM jackpotting** scheme that used **Ploutus** malware to force cash-out from legacy ATMs, with theft totaling hundreds of thousands of dollars and investigations linking activity to a broader network associated with **Tren de Aragua**. Separately in France, a Romanian national was sentenced in Paris to a five-year term with one year suspended (effectively four years to serve) for involvement in **ransomware** attacks using the **“Umbrella”** ransomware, with reported damages nearing €1 million and related cases spanning multiple European countries. In a separate, unrelated case, **Ilya Lichtenstein**—convicted for stealing **120,000 bitcoins**—publicly sought a “second chance” and a cybersecurity job after serving a 60-month sentence and being moved to home confinement, citing efforts to rehabilitate and cooperate. Collectively, the reporting underscores ongoing law-enforcement focus on financially motivated cybercrime ranging from malware-assisted physical compromise of financial infrastructure to enterprise-targeting ransomware, alongside continued public attention on high-profile cryptocurrency theft prosecutions.
Mar 21, 2026
Guilty Pleas in Major Cyber-Enabled Fraud and Ransomware Operations
U.S. authorities secured guilty pleas in two separate cyber-enabled criminal cases: a Ghana-based fraud ring that stole more than **$100 million** via **business email compromise (BEC)** and romance scams, and a **Phobos** ransomware administrator tied to a global extortion operation. The cases highlight parallel monetization paths—social engineering and payment redirection in BEC/romance schemes versus data encryption and extortion in ransomware-as-a-service (RaaS)—and both involve international arrests/extraditions to the United States. In the fraud case, **Derrick Van Yeboah** (40) pleaded guilty to conspiracy to commit wire fraud and agreed to pay **over $10 million** in restitution for his role in a Ghana-based operation that targeted U.S. victims from 2016 to May 2023, using spoofed emails to impersonate customers/employees and laundering proceeds through U.S. intermediaries before sending funds to coordinators in West Africa. Separately, **Evgenii Ptitsyn** (43) pleaded guilty to wire fraud conspiracy for helping develop, sell, distribute, and operate the **Phobos** ransomware platform, which the U.S. DoJ says hit **1,000+** entities and extorted **$16+ million**; he was arrested in South Korea in 2024, extradited to the U.S., and faces up to **20 years** in prison, with sentencing scheduled for July 15.
Mar 21, 2026
European and U.S. Law Enforcement Actions Against Cyber-Enabled Crime
Multiple law-enforcement actions were reported across Europe and the U.S. targeting **cyber-enabled criminal activity**, including online intimidation, financial malware operations, and crypto/NFT theft. In Hungary, police working with Romanian authorities detained four young suspects accused of **swatting** and **doxing** tied to disputes initiated via *Discord*, including false bomb and violence threats that triggered significant emergency response deployments. Separately, U.S. authorities convicted two Venezuelan nationals for a multi-state **ATM jackpotting** operation in which they physically accessed older ATMs, connected a laptop, and deployed **malware** to force cash dispensing, resulting in hundreds of thousands of dollars in losses and restitution orders. In Romania, two suspects were investigated at the request of UK authorities over an alleged **hitman-for-hire** marketplace designed to conceal identities and payments via **cryptocurrency escrow**, with police seizing storage devices, crypto valued around **$650,000**, and significant cash. In the Netherlands, Zeeland police arrested four suspects linked to the theft of **169 NFTs** valued at roughly **€1.4 million**, seizing data carriers, cash, vehicles, and a house during raids as the investigation continued.
Mar 21, 2026