Artem Aleksandrovych Stryzhak, 35, a Ukrainian national and Nefilim ransomware affiliate, is scheduled for sentencing on May 6, 2026 in U.S. federal court after pleading guilty in December 2025 to conspiracy to commit computer fraud. Stryzhak obtained access to the Nefilim ransomware code in June 2021 in exchange for a 20% share of ransom proceeds, then deployed it against large corporations across the United States, Norway, France, Switzerland, Germany, and the Netherlands, specifically targeting businesses with annual revenues exceeding $100 million — a threshold he later raised to $200 million. He faces a maximum sentence of ten years imprisonment.
Stryzhak’s Role as a Nefilim Affiliate: Revenue-Targeted Ransomware Operations Against Large Corporations
Stryzhak operated as a Nefilim ransomware affiliate — an arrangement in which the affiliate gains access to the ransomware platform and infrastructure in exchange for sharing a percentage of ransom proceeds with the group’s operators. In Stryzhak’s case, the arrangement was struck in June 2021 and provided a 20% cut of ransom payments to the underlying Nefilim operation.
The Nefilim ransomware group deliberately avoided smaller businesses, targeting instead companies with sufficient revenue and resources to pay large ransoms. Stryzhak operated with an initial revenue threshold of $100 million for target selection, subsequently raising that minimum to $200 million. Nefilim customized extortion demands and ransom notes on a per-victim basis and threatened to publish stolen data on “Corporate Leaks” sites if victims declined to pay — a double-extortion model designed to add reputational and regulatory pressure to the financial demand.
Countries Targeted: United States, Norway, France, Switzerland, Germany, Netherlands
Stryzhak’s confirmed campaign targeted corporations across six countries: the United States, Norway, France, Switzerland, Germany, and the Netherlands. The cross-border scope of the operation was a factor in the U.S. prosecution case, which charged computer fraud conspiracy as the primary count.
Arrest in Spain, Extradition to the United States, and Guilty Plea
Stryzhak was arrested in Spain in June 2024. He was extradited to the United States on April 30, 2025, following extradition proceedings conducted under U.S.-Spain cooperation frameworks for cybercrime prosecutions. After his extradition, Stryzhak entered a guilty plea in December 2025 to conspiracy to commit computer fraud, the charge arising from his participation in the Nefilim ransomware operation.
Sentencing is scheduled for May 6, 2026. The charge carries a maximum statutory sentence of ten years in federal prison. The final sentence will be determined by the court based on guidelines calculations, the nature of the conduct, and any cooperation credit applied during proceedings.
Co-Conspirator Volodymyr Tymoshchuk Remains at Large With $11 Million U.S. Bounty
Stryzhak’s alleged co-conspirator, Volodymyr Tymoshchuk, remains at large as of the May 6, 2026 sentencing date. The U.S. State Department has issued an $11 million reward for information leading to Tymoshchuk’s arrest or prosecution, reflecting the DOJ’s continued pursuit of the remaining Nefilim operation participants.
The $11 million bounty level places Tymoshchuk among a small group of cybercriminals for whom the U.S. government has publicly offered eight-figure rewards, a classification typically reserved for threat actors assessed to have caused or enabled hundreds of millions of dollars in damages.
U.S. Ransomware Prosecution Pattern: Extraditions From Europe Continue
Stryzhak’s case continues a sustained pattern of successful U.S. extraditions and ransomware affiliate prosecutions coordinated with European law enforcement. His arrest in Spain in June 2024, extradition in April 2025, guilty plea in December 2025, and May 2026 sentencing represent the full prosecutorial pipeline operating over approximately two years from initial arrest to conviction.
The Stryzhak prosecution adds to the documented record of U.S. federal courts receiving extradited ransomware affiliates and proceeding to conviction.
