The United States has placed an $11 million bounty on the head of Volodymyr Tymoshchuk, a Ukrainian national accused of orchestrating some of the most damaging ransomware campaigns in recent years. Federal prosecutors allege that from 2018 to 2021, Tymoshchuk masterminded attacks that collectively siphoned off as much as $18 billion from corporations and institutions across the globe.
The U.S. Department of Justice (DOJ) says Tymoshchuk built and deployed powerful ransomware strains that crippled operations in industries ranging from health care to renewable energy, cementing his role as a central figure in international cybercrime.
Ransomware Tools: MegaCortex, LockerGoga, and Nefilim
Tymoshchuk is accused of designing and distributing MegaCortex, LockerGoga, and later Nefilim — three notorious ransomware variants that wreaked havoc worldwide.
- MegaCortex, first uncovered in 2019, gained attention for its aggressive approach. It forcibly reset Windows passwords, encrypted sensitive files, and threatened to leak stolen data if ransoms were left unpaid.
- LockerGoga was linked to high-profile attacks, including the 2019 breach at Norsk Hydro, a Norwegian renewable energy company. The attack forced operations to a standstill across 170 sites and caused $81 million in damages.
- Nefilim emerged in 2020 and operated under a so-called “ransomware-as-a-service” model. Tymoshchuk allegedly leased access to affiliates who carried out the attacks, keeping a 20% commission from each ransom payout.
Court filings suggest that while MegaCortex began spreading beyond corporate targets to individual PCs in late 2019, Nefilim maintained a narrower focus on large corporations, often valued at $100 million or more.
Prosecutors Describe a Persistent Offender
In announcing the charges, U.S. Attorney Joseph Nocella Jr. characterized Tymoshchuk as a relentless cybercriminal who continuously adapted his operations to evade detection.
Nocella noted that when earlier ransomware tools were neutralized, Tymoshchuk quickly shifted to newer, more sophisticated strains. The DOJ emphasized that this case reflects years of international collaboration to expose and prosecute a figure once believed to be untraceable.
The Federal Indictment
An unsealed indictment, first reported by The Register, provides details of Tymoshchuk’s alleged crimes. It lists seven charges, including:
- Intentional damage to protected computers.
- Threatening to release stolen information.
- Conspiracy to commit computer fraud.
The indictment also references several unnamed victims across the U.S. and Europe. If convicted, Tymoshchuk could face life imprisonment under U.S. sentencing guidelines.
Investigators allege that Tymoshchuk and his associates relied on penetration-testing tools such as Metasploit and Cobalt Strike — software typically used by cybersecurity professionals — to gain unauthorized access and remain hidden in networks for months before launching attacks.
Economic and Operational Fallout
The DOJ estimates that Tymoshchuk’s ransomware campaigns caused damages totaling $18 billion, a figure that underscores the immense costs tied to ransomware worldwide.
Beyond direct financial losses, many victims experienced operational shutdowns, reputational harm, and lasting vulnerabilities. In sectors like health care and energy, the disruptions carried potentially serious public safety risks.
The Norsk Hydro attack remains one of the clearest examples of these risks, as the company was forced to switch to manual operations across multiple facilities while working to recover from the cyberattack.
International Manhunt and Extradition Hurdles
Tymoshchuk’s current location remains unknown, though U.S. authorities are seeking his extradition. Should he be brought to the United States, he would face trial alongside Artem Stryzhak, a co-defendant already extradited to the U.S. to face related charges.
Legal experts warn that extradition may be complicated by Tymoshchuk’s Ukrainian nationality and geopolitical considerations. However, U.S. officials hope the $11 million reward and continued international coordination will eventually lead to his capture.




