The U.S. Department of Justice arrested Volodymyr Viktorovich Tymoshchuk who is accused of his important role in several ransomware operations. This Ukrainian ransomware criminal, also known as Boba, deadforz, msfv, and farnetwork, is alleged to have conducted the MegaCortex, Nefilim, and LockerGaga ransomware operations from December 2018 to October 2021.
Tymoshchuk, with his accomplices, performed or played an integral role in performing ransomware attacks on about 250 victims in the U.S. between July 2019 and June 2020, utilizing the LockerGaga and MegaCortex ransomware variants. A global law enforcement operation focusing on the MegaCortex and LockerGoga ransomware campaigns in September 2022 acquired decryption keys, which were accessible to victims via the No More Ransom Project. Numerous potential victims were able to stop file encryption after getting immediate alerts from law enforcement that their networks were compromised.
Under the Nefilim ransomware plan, Tymoshchuk and his co-conspirators claimed a lot more victims in America and globally from July 2020 to October 2021. Because of those ransomware attacks, Tymoshchuk brought about millions of dollars in losses to businesses due to disrupted operations, damage to computer networks, and ransom payments. As a ransomware operations administrator, Tymoshchuk recruited and gave access to the facilities and encryptor to perform attacks.
Ukrainian national Artem Stryzhak, an affiliate of the Nefilim ransomware operation, was caught in Spain in June 2024 and deported to the U.S. on April 30, 2025. Stryzhak was charged with conspiracy to commit fraud and associated activity. Stryzhak mainly targeted companies in America, Canada, or Australia that had annual income of more than $100 million, although a Nefilim administrator urged him to attack larger businesses with more than $200 million in yearly earnings. The Nefilim administrators enabled Stryzhak to retain 80% of any ransoms he earned, while they would get 20%. Any victim who did not pay had their stolen files leaked on the group’s Corporate Leaks websites.
Tymoshchuk is facing charges of two counts of conspiracy to commit fraud and correlated computer activity, three counts of causing deliberate damage to a protected computer, one count of illegal access to a secured computer, and one count of giving a threat to leak private information. Tymoshchuk is a ransomware criminal who attacked blue-chip American firms, health care providers (including HIPAA-compliant), and large foreign industrial companies, and threatened to expose their sensitive information on the internet if they do not pay. For a while, the accused evaded law enforcement by using new strains of malicious software programs as soon as his old ones had been decrypted. The unmasking and charging of a dangerous and prevalent ransomware actor became possible as a result of international coordination.
The U.S. Department of State is offering a $10 million incentive for tips leading to the whereabouts, arrest, or conviction of Tymoshchuk, as well as another $1 million reward for information that would lead to the conviction of other MegaCortex, LockerGaga, and Nefilim ransomware groups’ members. The rewards are provided through the Transnational Organized Crime (TOC) Rewards Program.