Ukrainian hacker pleads guilty to Nefilim Ransomware attacks in U.S.

Ukrainian hacker pleads guilty to Nefilim Ransomware attacks in U.S.

Pierluigi Paganini
December 22, 2025

Ukrainian Artem Stryzhak (35) pleaded guilty in the U.S. for Nefilim ransomware attacks; he was arrested in Spain in 2024, extradited in April 2025.

A 35-year-old Ukrainian, Artem Aleksandrovych Stryzhak (35), pleaded guilty in the U.S. for Nefilim ransomware attacks. The Ukrainian citizen was arrested in Spain in 2024 and extradited to the US in April 2025. He pleaded guilty to conspiracy to commit computer fraud and faces up to 10 years in prison, with sentencing set for May 2026.

“Earlier today, in federal court in Brooklyn, Artem Stryzhak pleaded guilty to conspiracy to commit fraud and related activity, including extortion, in connection with computers, for his role in a series of international ransomware attacks.” reads the DoJ’s press release. “Stryzhak, a Ukrainian citizen, was arrested in Spain in June 2024 and extradited to the United States on April 30, 2025.  When sentenced, Stryzhak faces up to 10 years’ imprisonment.  His co-conspirator, Volodymyr Tymoshchuk, remains at large and is the subject of a $11 million reward offered by the United States Department of State.“

Nefilim ransomware was used to encrypt networks worldwide, including in the Eastern District of New York, causing millions in losses from ransom payments and system damage. Attackers employed a customized ransomware executable in each attack, generating unique decryption keys and tailored ransom notes for victims. In June 2021, Nefilim administrators granted Artem Stryzhak access to the ransomware code in exchange for 20% of his ransom proceeds, which he deployed via his account on the administrators’ online platform.

“Nefilim’s preferred ransomware targets were companies located in the United States, Canada, or Australia with more than $100 million in annual revenue.” continues the report. “Stryzhak and others researched the companies to which they gained unauthorized access, including by using online databases to gather information about the victim companies’ net worth, size, and contact information.”

Stryzhak and co-conspirators researched victims using online databases to collect information on their net worth, size, and contacts. After gaining network access, they stole data to pressure companies into ransom payments. Nefilim notes warned that stolen data would be posted on publicly accessible “Corporate Leaks” sites maintained by the administrators if victims did not comply.

Volodymyr Tymoshchuk, Stryzhak’s co-defendant and Nefilim admin, is a serial ransomware cybercriminal who is still at large. The U.S. offers up to $11M for info on him or co-conspirators.

“The defendant used Nefilim ransomware to target high-revenue companies in the United States steal data, and extort victims,” stated Joseph Nocella, Jr., United States Attorney for the Eastern District of New York. “The defendant’s conviction demonstrates that our Office will ensure that criminals are held accountable for the cyber havoc they wreak on society.  We remain determined to capture Stryzhak’s codefendant and partner in crime, Volodymyr Tymoshchuk, and bring him to justice in a U.S. courtroom.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon