The U.S. Department of Justice has unsealed charges against Ukrainian national for administering the LockerGoga, MegaCortex, and Nefilim ransomware operations, while the Europol has placed him on the “Most Wanted” fugitives list.
According to the DOJ, Volodymyr Viktorovich Tymoshchuk—known by aliases including deadforz, Boba, msfv, and farnetwork—allegedly orchestrated ransomware campaigns between December 2018 and October 2021. His operations are accused of targeting more than 250 companies in the U.S. and hundreds more globally, including France, Germany, the Netherlands, Norway, and Switzerland. His ransomware operations caused severe business disruption, extensive data encryption and significant financial losses, the court filings noted.
The DOJ says that Tymoshchuk and his associates tailored their ransomware payloads individually for each victim, enabling only unique decryption keys. Prosecutors further allege that when victims obtained decryptors for older ransomware versions, Tymoshchuk responded by deploying new variants.
Authorities have also revealed that Artem Aleksandrovych Stryzhak, another Ukrainian associated with the Nefilim campaign, was likely a co-conspirator who was extradited from Spain earlier in May 2025.
Read: Ukrainian Extradited to U.S. Over Global Ransomware Scheme Using Nefilim Strain
Among the charges, Tymoshchuk faces conspiracy to commit fraud, intentional damage to protected computers, unauthorized computer access and transmitting threats to disclose confidential information.
Europol Adds Tymoshchuk to Europe’s ‘Most Wanted’
In parallel, Europol has added Tymoshchuk to its Most Wanted fugitives list, offering up to $10 million for credible information about his whereabouts.
The individual, a Ukrainian national, is believed to be a leading figure in an organised crime network responsible for the 2019 ransomware attack against a major Norwegian aluminium company, as well as a series of other global cyber-attacks,” Europol said. Europol’s reference was the March 18 attack, that year, on the Norwegian aluminium producer Norsk Hydro.
“The fugitive is wanted by several countries and is considered a top priority target for international law enforcement.” – Europol
Law enforcement in Ukraine has already arrested part of the group, Europol said. Their probe shed light on the hierarchy, uncovering everyone’s role—those writing the malicious code, those executing the intrusions, and those washing the profits.
“Those responsible for breaking into networks did so through techniques including brute force attacks, SQL injections and sending phishing emails with malicious attachments in order to steal usernames and passwords,” Europol said, at the time. Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks.
The U.S. State Department’s Transnational Organized Crime Rewards Program is separately offering up to $11 million for information that leads to Tymoshchuk’s location, arrest, or conviction.
