A Ukrainian citizen has pleaded guilty to orchestrating Nefilim ransomware attacks aimed at high-revenue companies in the United States and various other nations.

The accused, Artem Aleksandrovych Stryzhak, 35, was captured in Spain in June 2024 and subsequently extradited to the United States on April 30, 2025.

Stryzhak has accepted charges of conspiracy to commit computer fraud, as filed by U.S. prosecutors, pertaining to ransomware attacks targeting entities in the United States, Norway, France, Switzerland, Germany, and the Netherlands.

If convicted, Stryzhak could be sentenced to as much as 10 years in prison, with his sentencing date set for May 6, 2026.

As per court records, Stryzhak allegedly acquired the Nefilim ransomware code in June 2021 in exchange for 20% of the ransom payments obtained. This ransomware group developed custom malware targeted at each victim, including decryption keys and specified ransom amounts.

Upon aligning with the Nefilim operation, Stryzhak specifically sought out large firms in the U.S., Canada, and Australia, each with annual revenues exceeding $100 million, implementing specially crafted malware along with decryption keys and demands for ransom. However, one of the Nefilim administrators later encouraged Stryzhak to concentrate on firms generating over $200 million a year.

Alongside his associates, Stryzhak conducted investigations into potential targets utilizing online resources (including Zoominfo) to gather insights about a corporation’s revenue, size, and contact information.

To intensify pressure on victims, the group also threatened to release data stolen during attacks on “Corporate Leaks” websites maintained by Nefilim administrators unless the ransom terms were fulfilled.

The U.S. State Department has announced a reward of up to $11 million for information that could lead to the apprehension of Stryzhak’s alleged accomplice, Volodymyr Tymoshchuk, who remains at large.

Tymoshchuk is listed among the most-wanted individuals by both the FBI and the European Union. In September, he was charged by the U.S. Justice Department for his role as an administrator in LockerGoga, MegaCortex, and Nefilim ransomware operations.

Reportedly, Tymoshchuk was involved in ransomware operations that compromised numerous companies globally, resulting in damages amounting to millions between July 2020 and October 2021.

Broken IAM isn’t solely an IT issue; the ramifications extend throughout the entire business.

This practical guide discusses why traditional IAM practices struggle to meet contemporary demands, illustrating what effective IAM implementation looks like, along with a straightforward checklist for developing a scalable strategy.

Get the guide