The US Department of Justice has unsealed charges against Ukrainian national Volodymyr Viktorovich Tymoshchuk, accusing him of serving as a key administrator behind several high-profile ransomware operations, including LockerGoga, MegaCortex, and Nefilim.
Known online as deadforz, Boba, msfv, and farnetwork, Tymoshchuk is alleged to have played a central role in ransomware attacks that compromised hundreds of companies worldwide between December 2018 and October 2021. According to prosecutors, the attacks caused millions of dollars in damages, including costs related to system repairs, ransom payments, and operational disruption.
The ransomware variants used by Tymoshchuk and his co-conspirators encrypted data on targeted networks across multiple countries, including the United States, France, Germany, Norway, the Netherlands, and Switzerland. In many cases, the attackers would tailor the ransomware executable to each victim, ensuring that only a specific decryption key could unlock the compromised data. Victims who paid the ransom were provided with decryption tools in return.
From July 2019 to June 2020, Tymoshchuk is alleged to have been involved in compromising over 250 networks in the US, as well as hundreds more globally using LockerGoga and MegaCortex.
Tymoshchuk is also accused of being a lead administrator of the Nefilim ransomware operation from July 2020 to October 2021, during which time he allegedly provided ransomware tools to affiliates in exchange for 20% of ransom profits. One such affiliate, Artem Stryzhak, has been extradited from Spain and is facing charges in the Eastern District of New York.
The authorities released decryption keys for LockerGoga and MegaCortex in September 2022 as part of the No More Ransomware Project, allowing many victims to recover encrypted data without paying ransoms.
Tymoshchuk faces multiple federal charges, including: two counts of conspiracy to commit fraud and related computer crimes; three counts of intentional damage to a protected computer; one count of unauthorized access to a protected computer; one count of transmitting threats to disclose confidential information. If convicted, he may face decades in prison.