A Ukrainian national has been hit with serious criminal charges in the U.S. for allegedly running some of the most destructive ransomware operations in recent years.
Volodymyr Viktorovich Tymoshchuk, also known by online aliases like deadforz, Boba, msfv, and farnetwork, is accused of being a key administrator in the LockerGoga, MegaCortex, and Nefilim ransomware campaigns.
Justice Department and FBI Speak Out
Acting Assistant Attorney General Matthew R. Galeotti called Tymoshchuk’s alleged activities “extortion schemes that targeted more than 250 companies in the U.S. and hundreds more worldwide.”
Some of these attacks reportedly disrupted entire business operations until data could be restored. Galeotti emphasized that the Justice Department is committed to protecting companies from digital sabotage and pursuing cybercriminals wherever they may hide.
U.S. Attorney Joseph Nocella Jr. described Tymoshchuk as a “serial ransomware criminal” who targeted major corporations, healthcare organizations, and foreign industrial firms.
“This indictment reflects international efforts to unmask and charge a dangerous ransomware actor who can no longer operate anonymously,” he said.
FBI officials echoed the warning. Christopher G. Raia, Assistant Director in Charge at the FBI New York Field Office, stressed that cybercriminals should not believe they act with impunity.
“We will continue to scour the globe to hold those accountable who try to exploit the anonymity of the internet for crime,” he said.
How the Ransomware Attacks Worked
According to the indictment, between December 2018 and October 2021, Tymoshchuk used LockerGoga, MegaCortex, and Nefilim ransomware to encrypt networks across the U.S., Europe, and beyond, including countries like France, Germany, the Netherlands, Norway, and Switzerland.
These attacks caused millions in losses, from damaged computer systems to remediation costs and ransom payments.
The ransomware was often customized for each victim, generating unique decryption keys.
Paying the ransom would allow victims to recover their files, while refusing risked data leaks or operational shutdowns.
Timeline of Criminal Activity
Between July 2019 and June 2020, Tymoshchuk and associates allegedly compromised over 250 U.S. companies and hundreds more globally using LockerGoga and MegaCortex.
In many cases, law enforcement intervened before the ransomware could be deployed.
From July 2020 through October 2021, Tymoshchuk is accused of acting as an administrator for Nefilim ransomware, providing affiliates—like co-defendant Artem Stryzhak, extradited from Spain—with access to the ransomware in exchange for 20 percent of the ransoms collected.
International Efforts and Decryption Tools
In September 2022, an international operation against LockerGoga and MegaCortex resulted in public release of decryption keys via the “No More Ransomware Project.”
This allowed victims to restore encrypted files without paying ransoms and represented a coordinated effort by law enforcement to dismantle these ransomware networks.
Charges and Ongoing Investigation
Tymoshchuk faces multiple federal charges, including:
-
Two counts of conspiracy to commit fraud and related activity in connection with computers
-
Three counts of intentional damage to a protected computer
-
One count of unauthorized access to a protected computer
-
One count of transmitting a threat to disclose confidential information
The FBI is leading the investigation, with prosecutors from the Justice Department’s Computer Crime and Intellectual Property Section (CCIPS) and the Eastern District of New York handling the case.
International authorities, including Europol, Eurojust, and several European countries, assisted in the effort.
Rewards Offered for Information
The U.S. Department of State is offering up to $11 million in rewards for information leading to the arrest, conviction, or location of Tymoshchuk or his co-conspirators.
Those with information can contact the FBI via phone, email, local field office, or U.S. embassy abroad.
Reminder on Presumption of Innocence
As with all criminal cases, the indictment is an allegation.
Tymoshchuk and any co-defendants are presumed innocent until proven guilty in a court of law.