Conti Developer Pleads Guilty for Role in Global Ransomware Campaign
Ukrainian national Oleksii Oleksiyovych Lytvynenko pleaded guilty in U.S. federal court to conspiracy to commit wire fraud for his role in the Conti ransomware operation, one of the most prolific cybercrime campaigns tracked by U.S. authorities. Prosecutors said Lytvynenko joined Conti by September 2021, helped develop a malware loader used to gain initial access to victim networks, and possessed data stolen from 12 victims, including eight in the United States. He was arrested in Ireland in July 2023, extradited to the United States in October 2025, and now faces up to 20 years in prison, with sentencing scheduled for September 2026.
The Justice Department said Conti targeted more than 1,000 victims across 47 U.S. states, Puerto Rico, Washington, D.C., and about 31 countries, extorting more than $150 million in ransom payments. In one part of the case, prosecutors said Lytvynenko and co-conspirators collected about $634,000 in Bitcoin from two Tennessee victims and leaked stolen data from another Tennessee organization after a $3 million ransom demand was rejected. The plea comes as U.S. authorities continue pursuing other alleged Conti members; earlier indictments also tied the group’s breakup to successor operations including Black Basta, Quantum, Royal, and BlackSuit.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Sentencing scheduled for Lytvynenko
The court scheduled Lytvynenko's sentencing for September 10, 2026, following his guilty plea in the Conti case.
Lytvynenko pleads guilty in U.S. federal court
Lytvynenko pleaded guilty to conspiracy to commit wire fraud for his role in Conti ransomware attacks, admitting involvement in the criminal operation and facing up to 20 years in prison.
Lytvynenko extradited from Ireland to the United States
After his arrest in Ireland, Lytvynenko was extradited to the United States in October 2025 to face federal charges tied to Conti ransomware operations.
Lytvynenko arrested in Ireland
Lytvynenko was arrested in Ireland in July 2023 in connection with his alleged role in Conti ransomware attacks.
U.S. unseals indictment against four additional Conti conspirators
Authorities said an indictment against four additional alleged Conti conspirators was unsealed in September 2023, expanding the public U.S. case against the ransomware network.
Conti ransomware campaign operates globally
According to the Justice Department description cited in the references, Conti conducted ransomware operations from 2020 to 2022, targeting organizations across 47 U.S. states and 31 foreign countries and extorting at least $150 million.
Conti shuts down after internal leaks
The Conti ransomware operation shut down in May 2022 after the group backed the Russian government, a move that triggered internal leaks. The article presents this as the end of Conti's active run following its 2020–2022 campaign.
Oleksii Lytvynenko joins the Conti conspiracy
Authorities said Oleksii Oleksiyovych Lytvynenko had joined Conti by at least September 2021 and helped develop a malware loader used to enable initial intrusions in some attacks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Ukrainian Man Pleads Guilty in US to Conti Ransomware Charges - SecurityWeek
securityweek.com
Open sourceUkrainian national pleads guilty in connection with Conti ransomware - Help Net Security
helpnetsecurity.com
Open sourceUkrainian Extradited from Ireland Pleads Guilty Over Role in Conti Ransomware Scheme
securityaffairs.com
Open sourceConti ransomware group member pleads guilty, faces up to 20 years in prison | CyberScoop
cyberscoop.com
Open sourceConti Ransomware Guilty Plea After Ransomware Attacks
securityonline.info
Open sourceOffice of Public Affairs | Ukrainian National Pleads Guilty to Wire Fraud Conspiracy in Connection with Conti Ransomware | United States Department of Justice
justice.gov
Open sourceUkrainian national pleads guilty to role in Conti ransomware operation
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Extradition and Prosecution of Conti Ransomware Operator Oleksii Lytvynenko
Oleksii Oleksiyovych Lytvynenko, a Ukrainian national alleged to be a key member of the Conti ransomware group, was extradited from Ireland to the United States to face charges related to his involvement in global ransomware attacks. U.S. authorities accuse Lytvynenko of participating in Conti's double extortion operations between 2020 and June 2022, controlling stolen data, sending ransom notes, and extorting millions in cryptocurrency from victims worldwide, including specific incidents in Tennessee. He was arrested in Cork, Ireland, in July 2023 by Irish police at the request of the U.S., and after lengthy extradition proceedings, appeared in a Tennessee court facing charges of computer fraud conspiracy and wire fraud conspiracy, with a potential sentence of up to 25 years if convicted. The Conti ransomware group, which replaced the Ryuk operation in 2020, became one of the most prolific and aggressive ransomware syndicates, responsible for over 1,000 attacks in the U.S. and more than 30 countries, collecting approximately $150 million in ransom payments. The group targeted critical infrastructure and high-profile organizations, exploiting vulnerabilities such as Log4j and ProxyShell. After the group disbanded in 2022, its members, including Lytvynenko, allegedly continued cybercriminal activities. The U.S. Department of Justice and FBI have highlighted Conti's significant impact on global cybersecurity, with Lytvynenko's prosecution marking a major step in international law enforcement efforts against ransomware operators.
Mar 21, 2026
Latvian Karakurt Negotiator Sentenced for Conti-Linked Ransomware Extortion
A U.S. court sentenced Latvian national **Deniss Zolotarjovs** to **102 months in prison** for his role in a Russia-linked ransomware and data-extortion organization run by former **Conti** members and operating under brands including **Karakurt**, **Royal**, **TommyLeaks**, **SchoolBoys Ransomware**, and **Akira**. Prosecutors said Zolotarjovs acted as a primary negotiator and extortion specialist from June 2021 to August 2023, researching victims, analyzing stolen data, setting ransom pressure points, and taking a share of proceeds. He was arrested in Georgia in December 2023, extradited to the United States in August 2024, and later pleaded guilty to conspiracy to commit **wire fraud** and **money laundering**. The Justice Department said the group targeted more than **54 companies**, collected roughly **$15 million to $16 million** in confirmed ransom payments, and caused at least **$56 million** in documented losses across 13 victims, with total damage likely reaching **hundreds of millions of dollars**. Authorities said the operation exposed highly sensitive personal data, including children’s medical records stolen from a pediatric healthcare provider that were later used to threaten victims and even sent to hundreds of patients, while another attack forced a U.S. government entity’s **911 emergency system** offline. Court filings and reporting also said the syndicate relied on front companies, corrupt contacts, and access to Russian government databases, underscoring the professionalized and well-connected structure behind the extortion campaign.
Jun 8, 2026
US Sentences REvil Affiliate and Jails Karakurt Operative in Ransomware Crackdown
The United States sentenced **Yaroslav Vasinskyi** (`Rabotnik`), a Ukrainian affiliate of the **Sodinokibi/REvil** ransomware operation, to **13 years and 7 months** in prison for his role in more than **2,500 attacks** that collectively sought over **$700 million** in ransom payments. Prosecutors said the scheme encrypted victim networks, threatened to leak stolen data, and used cryptocurrency exchangers and mixing services to launder proceeds; the court also ordered more than **$16 million** in restitution. U.S. authorities said related forfeiture actions recovered assets including **39.89138522 Bitcoin** and **$6.1 million**, and credited cooperation with Polish authorities for Vasinskyi’s extradition and prosecution. In a separate but related enforcement action, **Deniss Zolotarjovs**, a Latvian national tied to the **Karakurt** extortion operation and linked by investigators to the broader **Conti** ecosystem, was sentenced to **102 months** in prison after U.S. prosecutors accused him of helping pressure victims with stolen data, reviving unresolved extortion cases, and laundering cryptocurrency. Authorities said the Russian-linked group targeted more than **54 companies worldwide**, including victims whose stolen records included sensitive medical information, and generated losses exceeding **$56 million** across 13 victims with roughly **$13 million** more paid by 41 additional companies. The cases underscore sustained cross-border law enforcement action against ransomware and data-extortion actors operating through Russia-linked criminal networks.
May 25, 2026