A Ukrainian national accused of helping run one of the world’s most damaging ransomware operations, Conti, is now in US custody. After being extradited from Ireland, 43-year-old Oleksii Oleksiyovych Lytvynenko made his first court appearance in the Middle District of Tennessee to face charges tied to the Conti ransomware group.
Prosecutors allege that between 2020 and 2022, Lytvynenko worked with others to spread Conti ransomware all over the globe. The group infiltrated computer systems, locked critical files, and demanded cryptocurrency payments to restore access and keep stolen data private.
It also became one of the most aggressive and profitable operations of its kind before breaking apart in 2022. The FBI estimates the group carried out more than a thousand attacks in 47 US states, Puerto Rico, and over 30 countries, collecting about 150 million dollars in ransom payments, more than any other ransomware strain targeting critical infrastructure at the time.
Conti hit a long list of targets over the years. The Fourth District Court of Louisiana was among the first known targets in September 2020, followed by the Broward County Schools district in Fort Lauderdale in April 2021.
Later that year, in December, Scandinavian hotel chain Nordic Choice was hit, disrupting operations across multiple locations. The following months brought more high-profile attacks, including KP Snacks, the United Kingdom’s second-largest snack maker, in February 2022, and German wind turbine manufacturer Nordex in April 2022.
The group’s methods were as aggressive as they were sophisticated. Conti actors exploited major security flaws such as the Log4j vulnerability and ProxyShell exploits, both of which were widely abused by cybercriminals at the time.
But the group also faced problems of its own after an insider using the name “m1Geelka” leaked internal chats and code, claiming the operators were underpaying their recruits. That leak exposed details about how the gang worked and who was involved.
In one particularly controversial incident, Conti published thousands of records stolen from Graff, a luxury jewellery retailer based in the United Kingdom, in October 2021. The data included information on high-profile clients, among them members of royal families from Saudi Arabia, the United Arab Emirates, and Qatar. Following backlash, the group issued an unusual public apology, claiming it had not intended to harm those specific individuals.
Authorities believe Lytvynenko managed stolen data from numerous victims and was involved in sending ransom notes during Conti’s attacks. Irish police arrested him in July 2023 at the request of US officials, and after months of legal proceedings, he was extradited earlier this month. Court filings also allege that he continued to engage in cybercrime right up until his arrest in Ireland.
According to the US Department of Justice’s press release, Lytvynenko faces one count of conspiracy to commit computer fraud, carrying a maximum penalty of five years in prison, and one count of conspiracy to commit wire fraud, which carries up to twenty years.
The latest extradition adds to a series of actions targeting ransomware operators linked to Conti and similar groups. In June 2025, Ukrainian police arrested a ransomware cryptor developer connected to both the Conti and LockBit gangs. That arrest was part of Operation Endgame, a coordinated international effort aimed at dismantling the infrastructure and personnel behind major cybercrime networks.
