FBI offers $10M for Ukrainian hacker tied to major ransomware attacks
3 min read
FBI Offers $10 Million for Ukrainian Hacker Accused of Leading Major Ransomware Operations
International Operation and Network Dismantled
Authorities from several countries, with the participation of Ukraine’s Cyber Police, neutralized part of a ransomware group accused of targeting global corporate networks. Since 2018, the attackers are believed to have compromised infrastructures in France, Norway, Germany, the Netherlands, Canada, and the United States, encrypting more than 1,000 servers and causing estimated damages of 3 billion hryvnias.
Arrests and a Fugitive Leader
Several suspects were arrested; some have already appeared in court, and assets were seized. However, one of the group’s key leaders, Ukrainian citizen Volodymyr (Vladimir) Viktorovich Tymoshchuk, remains at large. He was formally charged in absentia and placed on international wanted lists.
FBI Reward
The FBI has announced a reward of up to $10 million for information leading to his capture. Tymoshchuk is wanted by both the United States and Ukraine and is currently listed among the EU’s most wanted criminals. As of now, there is no conviction: his status remains that of an accused/suspect/fugitive.
Aliases and Hacker Community Presence
In underground forums, Tymoshchuk was known under several aliases: deadforz, Boba, msfv, and farnetwork. His legal troubles in Ukraine date back to October 2021, when authorities raided his home. By December 2023, a national search warrant had been issued, but he reportedly fled the country in November 2023. In May 2024, he was officially added to the U.S. wanted list.
U.S. Federal Indictment
According to court documents, Tymoshchuk allegedly acted as an administrator/operator in ransomware-as-a-service (RaaS) campaigns linked to LockerGoga, MegaCortex, and Nefilim. The charges include:
1. Criminal conspiracies:
• LockerGoga/MegaCortex (2018–2020): conspiracy to damage protected systems and extort payments.
• Nefilim (2020–2021): a similar conspiracy, allegedly with his associate Artem (Artyom) Stryzhak.
2. Intentional damage to protected computers (including privilege escalation via Cobalt Strike, creation of admin accounts, etc.).
3. Unauthorized access for profit and further extortion.
4. Threats to disclose confidential data to force payments — the so-called “double extortion” tactic.
The indictment details intrusions through purchased credentials, lateral movement inside victim networks, persistence with Cobalt Strike, mass encryption of systems, and ransom demands in cryptocurrency (sometimes hundreds of BTC). Attacks reportedly affected around 250 companies in the U.S. and hundreds more worldwide, including one corporate victim identified as Filtras.
Legal and Procedural Context
In Ukraine, Tymoshchuk faces charges of hacking, extortion, and money laundering, with potential sentences of up to 12 years. In the U.S., proceedings are ongoing, and he is presumed innocent until proven guilty. His alleged associate, Artem Stryzhak, was extradited from Spain to Brooklyn on April 30, 2025.
Current Status
• Several members of the ransomware group have been arrested and are facing trial.
• Assets linked to the criminal activities have been seized.
• One key leader remains at large, with the FBI offering a $10 million reward for information leading to his arrest.
Final Reflection
The Tymoshchuk case illustrates how ransomware groups operate as transnational criminal organizations, capable of causing billions in damages and threatening both governments and private companies. It also highlights the importance of growing international cooperation in the fight against cybercrime, where technology, law, and geopolitics increasingly intersect.