Ukrainian Hacker Extradited From Spain Pleads Guilty in Nefilim Ransomware Attacks on Global Firms
A Ukrainian citizen has admitted guilt in connection with a series of ransomware attacks carried out using the Nefilim strain, targeting companies in the United States and other countries.
Artem Aleksandrovych Stryzhak, 35, was extradited to the US from Barcelona, Spain, earlier this year following his arrest in June 2024. According to the US Department of Justice (DoJ), he pleaded guilty to one charge of conspiracy to commit computer fraud.
Court documents reveal that Stryzhak joined the Nefilim ransomware-as-a-service operation in June 2021. He was granted access by the group’s administrators in return for 20% of any ransom payments he generated.
The affiliate was reportedly encouraged to go after large enterprises with annual revenues exceeding $200 million. To identify suitable targets, Stryzhak and others relied on publicly available business intelligence platforms such as ZoomInfo.
Companies based in the US, Canada, and Australia were prioritized. Like many ransomware campaigns, the attacks involved breaching corporate networks, stealing sensitive information, and encrypting systems. Victims were then pressured to pay a ransom for the decryption key or risk having their data published on a “corporate leaks” website operated by the ransomware group.
While authorities have not disclosed exactly how Stryzhak was identified and arrested, the DoJ noted that shortly after becoming an affiliate, he asked a fellow conspirator whether he should change his username—one he had used in prior crimes—in case the control panel “gets hacked into by the feds.”
Since those attacks, Nefilim has resurfaced under several different names, including Fusion, Milihpen, Gangbang, Nemty, and Karma.
Stryzhak now faces a potential prison sentence of up to 10 years. His sentencing is scheduled for May 2026.
Despite the guilty plea, at least one alleged accomplice remains at large. Volodymyr Tymoshchuk, also known by the aliases deadforz, Boba, msfv, and farnetwork, has been placed on Europe’s most-wanted fugitives list. The 28-year-old Ukrainian national is suspected of serving as an administrator for ransomware groups including LockerGoga, MegaCortex, and Nefilim.
The US Department of State’s Transnational Organized Crime Rewards Program is offering up to $11 million for information that leads to Tymoshchuk’s whereabouts, arrest, or conviction.
