Ukrainian National Pleads Guilty in Nefilim Ransomware Conspiracy

A Ukrainian national pleaded guilty on December 19 to conspiracy charges related to his role in the Nefilim ransomware operation. Artem Aleksandrovych Stryzhak, 35, admitted to participating in attacks against organizations in the United States and Europe, using double-extortion tactics that combined file encryption with data theft. The case marks another successful prosecution in the ongoing effort to dismantle ransomware infrastructure.

TL;DR

• What happened: Ukrainian Artem Stryzhak pleaded guilty to conspiracy to commit computer fraud for Nefilim ransomware attacks
• Who's affected: Large organizations in the US and Europe with $200M+ annual revenue were primary targets
• Severity: Criminal prosecution - defendant faces up to 10 years in prison
• Action required: No immediate action; case demonstrates law enforcement progress against ransomware operators

Who is Artem Stryzhak?

Stryzhak operated as a Nefilim ransomware affiliate from mid-2018 through late 2021. Court documents reveal that in June 2021, Nefilim administrators granted him access to the ransomware code in exchange for 20 percent of his ransom proceeds—a standard affiliate revenue-sharing arrangement in the ransomware-as-a-service ecosystem.

The defendant was arrested in Spain in June 2024 and extradited to the United States in April 2025. He pleaded guilty in the Eastern District of New York and faces sentencing on May 6, 2026. The maximum penalty is 10 years in federal prison.

How Did the Nefilim Operation Work?

Nefilim employed double-extortion tactics that have become standard practice among ransomware groups. Attackers would first exfiltrate sensitive company data before deploying the ransomware to encrypt files. Victims faced two threats: pay for decryption keys to restore access to their systems, or watch their stolen data get published on a leak site called "Corporate Leaks."

According to court documents, Stryzhak and his co-conspirators deliberately targeted companies with annual revenues exceeding $200 million. They used online databases like ZoomInfo to research and select victims based on financial size and potential willingness to pay large ransoms.

This victim selection methodology explains why Nefilim attacks disproportionately hit large enterprises rather than small businesses. The operators calculated that companies with significant revenue had more to lose from data exposure and business disruption.

What Happened to Other Nefilim Operators?

While Stryzhak will face sentencing, a key co-conspirator remains at large. Volodymyr Tymoshchuk, a 28-year-old Ukrainian national also known as "deadforz," "Boba," "msfv," and "farnetwork," was recently added to Europe's list of most wanted fugitives.

Investigators believe Tymoshchuk served as an administrator for multiple ransomware operations beyond Nefilim, including LockerGoga and MegaCortex. The US Department of State's Transnational Organized Crime Rewards Program has offered up to $11 million for information leading to his location, arrest, or conviction.

The reward size reflects the scale of damage attributed to Tymoshchuk's alleged activities across multiple ransomware families.

Why Do These Prosecutions Matter?

Ransomware prosecutions face significant obstacles. Most operators work from jurisdictions that don't cooperate with Western law enforcement, making arrests difficult. When defendants do get caught—often while traveling to countries with extradition agreements—the cases take years to work through the legal system.

Stryzhak's guilty plea matters for several reasons:

Deterrence Signal: Affiliates who believe they can operate with impunity may reconsider when seeing prosecutions succeed. Even if the risk of arrest remains low, it isn't zero.

Intelligence Value: Cooperating defendants often provide information about ransomware infrastructure, other affiliates, and operational details that assists ongoing investigations.

Asset Recovery: Guilty pleas can lead to restitution orders and asset forfeiture, potentially recovering some victim losses.

Network Disruption: Removing even one active affiliate reduces the ransomware group's operational capacity.

The Bigger Picture on Ransomware Enforcement

This prosecution comes amid broader efforts to combat ransomware through law enforcement action. In 2025 alone, authorities have made progress against several operations:

• Multiple LockBit affiliates arrested and infrastructure seized
• ALPHV/BlackCat operation disrupted following law enforcement infiltration
• Continued international cooperation on ransomware investigations

But the numbers tell a sobering story. According to ransomware tracking data, 306 ransomware groups were active in 2025, claiming 7,902 victims—significantly higher than 6,129 victims in 2024 and 5,336 in 2023. Despite law enforcement successes, the ransomware economy continues to grow.

What Organizations Should Learn from This Case

The Nefilim operation's targeting methodology offers a reminder about attacker economics. Groups specifically researched victim finances to maximize potential payouts. Organizations should assume that threat actors know their revenue figures and will calibrate demands accordingly.

The case also demonstrates that ransomware attacks aren't anonymous. Affiliates leave trails, make mistakes, and sometimes get caught when they travel. Law enforcement agencies maintain long-term investigations that eventually yield results, even years after the attacks occurred.

Frequently Asked Questions

Does this guilty plea help victims recover their data or money?

The plea itself doesn't directly result in data recovery or financial restitution. However, sentencing may include restitution orders. Stryzhak's cooperation, if any, could provide intelligence that helps disrupt related operations or identify other victims.

What should I do if my organization was previously hit by Nefilim?

If you have outstanding claims or unpaid ransoms, this development doesn't change your situation directly. Consider contacting the FBI's Internet Crime Complaint Center (IC3) if you haven't already reported the incident—victim reports assist ongoing investigations.

Are other Nefilim affiliates still operating?

Nefilim as a distinct brand appears inactive, but ransomware operators frequently rebrand and continue operations under new names. The techniques and tactics Nefilim used—double extortion, large-enterprise targeting, affiliate models—remain standard across the ransomware ecosystem.