Ukrainian Extradited To U.S. For Nefilim Ransomware Scheme

Artem Stryzhak, a Ukrainian national, has been extradited from Spain to the United States to face charges related to a global ransomware operation that used the notorious Nefilim ransomware strain. The 2025 extradition is an important step in a years-long investigation into a cyber-extortion campaign that targeted multinational corporations and caused millions of dollars in losses. 

On April 30, Stryzhak was brought to the U.S. after his arrest in Spain in June 2024. Federal prosecutors in Brooklyn unsealed a superseding indictment earlier today, charging him with conspiracy to commit fraud and related computer crimes, including extortion. His arraignment is scheduled before U.S. Magistrate Judge Robert Levy in the Eastern District of New York. 

International Operation Targets Cybercrime Using Nefilim Ransomware Strain 

According to U.S. Attorney John Durham, “As alleged, the defendant was part of an international ransomware scheme in which he conspired to target high-revenue companies in the United States, steal data, and hold data hostage in exchange for payment. If victims did not pay, the criminals then leaked the data online.” Durham emphasized the importance of the extradition, stating it demonstrated that cybercriminals operating from overseas are not beyond the reach of American law. 

The FBI also stressed the importance of international cooperation in bringing cybercriminals to justice. “The successful extradition of the defendant is a significant achievement in that ongoing collaboration, and it sends a clear message: those who attempt to hide behind international borders to target American citizens will face justice,” said Christopher J.S. Johnson, Special Agent in Charge of the FBI’s Springfield, Illinois Field Office. 

The Nefilim ransomware strain, at the center of this case, was used to compromise and encrypt the computer networks of businesses across the globe. According to court documents, these ransomware attacks resulted in substantial financial damage, stemming not only from ransom payments but also from extensive disruptions to the victims’ IT systems. 

Customized Attacks on High-Revenue Companies 

Stryzhak allegedly joined the Nefilim ransomware operation in June 2021, after receiving access to the ransomware’s core code in exchange for 20% of his ransom earnings. Operating under a personal account on the Nefilim platform—referred to as the “panel”—Stryzhak even questioned whether he should use a different alias to avoid detection by the FBI if the panel were ever compromised. 

The Nefilim ransomware group primarily focused on companies based in the U.S., Canada, and Australia, typically those with over $100 million in annual revenue. In one 2021 exchange, a Nefilim administrator encouraged Stryzhak to focus on firms with revenues exceeding $200 million. Before launching an attack, the conspirators conducted detailed reconnaissance, using online tools to assess potential targets’ financial standing and infrastructure.

Once inside a victim’s network, Stryzhak and his co-conspirators exfiltrated sensitive data. Victims were then presented with ransom notes that threatened to leak their data publicly on “Corporate Leaks” websites—online platforms managed by the Nefilim administrators—if the ransom was not paid. 

The investigation and prosecution of Artem Stryzhak’s involvement in the Nefilim ransomware scheme is being led by the National Security and Cybercrime Section of the U.S. Attorney’s Office. While the charges remain allegations and Stryzhak is presumed innocent until proven guilty, he faces up to five years in federal prison if convicted.

Related