The U.S. Department of Justice has unsealed charges against Ukrainian national Volodymyr Viktorovich Tymoshchuk, accusing him of playing a central role in the administration of several notorious ransomware families, including LockerGoga, MegaCortex, and Nefilim.
According to the indictment, Tymoshchuk—better known in cybercriminal circles by aliases such as deadforz, Boba, msfv, and farnetwork—helped orchestrate ransomware attacks that compromised hundreds of companies and caused millions of dollars in damages.
Alleged Role in LockerGoga and MegaCortex Attacks
Between July 2019 and June 2020, prosecutors say Tymoshchuk and his accomplices breached the networks of more than 250 organizations across the United States and abroad. These incidents were tied to LockerGoga and MegaCortex ransomware operations, which became infamous for paralyzing businesses by encrypting critical systems.
While many of the attacks did not result in ransomware deployment due to early law enforcement alerts, the scale of the attempted breaches highlighted the threat level these operations posed.
Ties to the Nefilim Ransomware Operation
From July 2020 to October 2021, Tymoshchuk allegedly shifted to serving as an administrator for the Nefilim ransomware cartel. In this role, he provided access to ransomware tools and infrastructure for affiliates, including co-defendant Artem Aleksandrovych Stryzhak. Affiliates were required to share 20 percent of ransom payments with Tymoshchuk in exchange for using the platform.
Stryzhak was extradited from Spain in April 2025, marking another major step in international law enforcement efforts against organized ransomware crime.
Links to Other Ransomware Families
Cybersecurity intelligence has also tied Tymoshchuk to other high-profile ransomware groups. In November 2023, Group-IB reported that he was active in recruiting affiliates for ransomware families such as JSWORM, Karma, Nokoyawa, and Nemty. His activity on Russian-speaking hacker forums dates back to at least April 2019, further cementing his long-standing role in the cybercrime underground.
Official Statements on the Case
U.S. Attorney Joseph Nocella Jr. described Tymoshchuk as a persistent offender:
“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay.”
Acting Assistant Attorney General Matthew R. Galeotti added:
“In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored.”
Impact on Victims and Global Response
The attacks associated with Tymoshchuk’s operations disrupted critical services, from health care systems to industrial companies, leaving victims struggling with encrypted files and halted operations.
In September 2022, as part of a coordinated international initiative, free decryptors for LockerGoga and MegaCortex were released through the No More Ransomware Project, allowing victims to recover files without ransom payments. This project has since become a critical lifeline for organizations hit by ransomware worldwide.
Criminal Charges and Rewards
Tymoshchuk faces multiple charges, including:
- Two counts of conspiracy to commit computer fraud
- Three counts of damaging a protected computer
- Unauthorized access charges
- Charges for threatening to disclose confidential information
To accelerate his capture, the U.S. Department of State’s Transnational Organized Crime Rewards Program has offered up to $11 million for information that leads to his location, arrest, or conviction.
