Earlier today, federal authorities unsealed a superseding indictment charging Volodymyr Tymoshchuk, a Ukrainian national also known as “deadforz,” “Boba,” “msfv,” and “farnetwork,” for his alleged involvement in international ransomware schemes. Tymoshchuk is not currently in U.S. custody.
The announcement was made by Joseph Nocella, Jr., United States Attorney for the Eastern District of New York; Matthew R. Galeotti, Acting Assistant Attorney General of the Justice Department’s Criminal Division; Christopher Raia, Assistant Director in Charge at the FBI’s New York Field Office; and FBI Special Agent in Charge Christopher J.S. Johnson from Springfield, Illinois.
“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” stated United States Attorney Nocella. “For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”
“Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” stated Acting Assistant Attorney General Galeotti. “In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored. This prosecution and today’s rewards announcement reflects our determination to protect businesses from digital sabotage and extortion and to relentlessly pursue the criminals responsible, no matter where they are located.”
“Volodymyr Tymoshchuk repeatedly used ransomware attacks to target hundreds of companies in the United States and around the globe in attempts to extort victims. Today’s announcement should serve as warning, cyber criminals may believe they act with impunity while conducting harmful cyber intrusions, but law enforcement is onto you and will hold you accountable,” stated FBI Assistant Director in Charge Raia. “The FBI along with our law enforcement partners will continue to scour the globe to bring to justice any individual attempting to use the anonymity of the internet to commit crime.”
“The criminals behind Nefilim ransomware may believe they can profit from extortion and data leaks, but they are wrong. The FBI is actively pursuing them to disrupt their operations and bring them to justice. We urge all organizations to report these attacks immediately—because every report helps us dismantle these networks and ensure cybercriminals are held accountable,” stated Springfield, Illinois Special Agent in Charge Johnson.
According to allegations detailed in court documents, between December 2018 and October 2021 several strains of ransomware—including LockerGoga, MegaCortex, and Nefilim—were used against victims worldwide including those based within the Eastern District of New York as well as France, Germany, Netherlands, Norway, Switzerland, among others. These attacks led victims’ computer files being locked until ransom demands were met.
Tymoshchuk allegedly worked with co-conspirators who gained unauthorized access through various hacking techniques such as exploiting security vulnerabilities or purchasing compromised credentials before deploying either LockerGoga or MegaCortex ransomware on victim networks between July 2019 through June 2020.
In September 2022 an international effort made decryption keys available for LockerGoga and MegaCortex via public release through initiatives like No More Ransomware Project which allowed affected organizations globally recover previously encrypted data.
From July 2020 through October 2021 Tymoshchuk acted as an administrator for Nefilim—a so-called "ransomware-as-a-service" operation—where he provided tools for affiliates like Artem Stryzhak (his co-defendant) who paid him a portion of proceeds collected from ransom payments after targeting high-revenue companies primarily located within countries such as United States Canada or Australia.
Nefilim ransom notes typically threatened publication of stolen data unless payment agreements were reached with victims; this information would be posted on publicly accessible websites maintained by those administering Nefilim operations.
All charges contained within this indictment remain allegations at this stage; defendants are presumed innocent unless proven guilty during trial proceedings. Stryzhak was extradited from Spain earlier this year (April 2025) where he now awaits trial within Eastern District of New York.
The U.S Department of State has announced up-to $11 million reward for information leading directly towards arrest conviction or location regarding either Tymoshchuk himself or other conspirators involved—details about submitting tips can be found on [the State Department website](https://www.state.gov/).
The investigation has been handled by multiple offices including National Security & Cybercrime Section under direction from Assistant U.S Attorneys Alexander F Mindlin Ellen H Sise along with Trial Attorney Brian Mund (DOJ Computer Crime & Intellectual Property Section), supported by Paralegal Specialist Rebecca Roth—with additional support coming internationally via Justice Department's Office International Affairs alongside law enforcement agencies throughout Europe coordinated through Europol Eurojust ICHIP The Hague program.
