The U.S. Department of Justice detained a Ukrainian serial ransomware criminal who is believed to have been behind various ransomware operations. Volodymyr Viktorovich Tymoshchuk, using monikers Boba, deadforz farnetwork, and msfv, is claimed to have executed the Nefilim, Megacortex, and LockerGaga ransomware operations between December 2018 and October 2021.
Tymoshchuk, together with his accomplices, carried out or played an important part in ransomware attacks on over 250 victims in the U.S. and many victims around the world from July 2019 to June 2020, employing the Megacortex and Lockergaga ransomware variants. A worldwide law enforcement operation directed at the Megacortex and Lockergoga ransomware plans in September 2022 acquired decryption keys, which were available for victims through the No More Ransom Project. A lot of potential victims could have avoided file encryption if they had obtained quick notices from authorities that their systems were breached. That is why HIPAA training of employees is important for healthcare companies that are affected by these kinds of cyberattacks.
With the Nefilim ransomware system, Tymoshchuk and his co-conspirators claimed even more victims in America and around the world between July 2020 and October 2021. Through those attacks, Tymoshchuk brought on millions of dollars in losses to businesses as a result of interference in operations, problems with computer programs, and ransom payments. Being a ransomware operations administrator, Tymoshchuk hired and allowed access to the system and the encryptor to execute attacks.
Ukrainian Artem Stryzhak, an affiliate of the Nefilim ransomware campaigns, was detained in Spain in June 2024 and repatriated to the U.S. on April 30, 2025. Stryzhak was accused of conspiracy to commit theft and associated activity. Stryzhak principally attacked companies in America, Australia, or Canada that had annual income of above $100 million, though a Nefilim administrator inspired him to focus on big organizations with over $200 million in yearly earnings. The Nefilim administrators permitted Stryzhak to hold on to 80% of any ransoms he produced, whereas they would keep 20%. Any victim who declined to pay had their breached information exposed on the group’s Corporate Leaks sites.
Tymoshchuk is accused of three counts of causing purposive damage to a protected computer, two counts of conspiracy to commit fraud and correlated computer activity, one count of sending a threat to leak sensitive data, and one count of suspicious access to a secured computer. Tymoshchuk is a ransomware criminal targeting blue-chip American corporations, healthcare organizations, and big foreign industrial corporations, and he threatened to expose their sensitive records on the net if they fail to pay. For some time, the offender dodged law enforcement by implementing new strains of malicious applications when his old ones had been decrypted. The unmasking and capture of a threatening and predominant ransomware actor became possible because of global coordination.
The U.S. Department of State is giving about $10 million reward for tips leading to the hideout, arrest, or indictment of Tymoshchuk, and an extra $1 million reward for information that brings about convictions of other MegaCortex, Nefilim, and Lockergaga ransomware groups’ members. The rewards are made available through the Transnational Organized Crime (TOC) Rewards Program.
