BREAKING NEWS: Europol announced Tuesday, March 17, 2026, that Ukrainian national Volodymyr Tymoshchuk, a central figure in a global cybercrime syndicate, has been formally charged in connection with the deployment of the LockerGoga, MegaCortex, and Nefilim ransomware strains. Tymoshchuk, 28, is currently wanted by authorities and is considered one of Europe’s most sought-after fugitives, with allegations linking him to a vast cybercrime operation that has extorted over €15 billion from companies worldwide.
The charges against Tymoshchuk, who is known online by aliases such as “deadforz” and “Boba,” stem from a superseding indictment unsealed in May 2024 by the U.S. District Court for the Eastern District of New York. He faces two counts of conspiracy to commit fraud and related activity in connection with computers, three counts of intentional damage to a protected computer, one count of unauthorized access to a protected computer, and one count of transmitting a threat to disclose confidential information.
The scale of the alleged criminal enterprise is staggering. Tymoshchuk and his co-conspirators are accused of compromising networks and extorting more than 250 companies in the United States alone, with hundreds more victims reported globally. The ransomware attacks, which allegedly ran from December 2018 to October 2021, caused millions of dollars in direct losses, including ransom payments, system damage, and remediation costs. LockerGoga alone is estimated to have inflicted $104 million in damages, with the Norsk Hydro attack costing between $46 million and $52 million. The total financial impact of the group’s activities is reported to exceed €15 billion.
At 28 years old, Volodymyr Tymoshchuk, born on October 2, 1996, is a Ukrainian national believed by authorities to be a key administrator within the cybercrime syndicate. He is not associated with any legitimate enterprise, instead allegedly leading or managing sophisticated ransomware schemes that targeted industrial and manufacturing firms, “blue-chip American companies, health care institutions, and large foreign industrial firms” with annual revenues exceeding $100 million.
The investigation into Tymoshchuk and his associates has been a monumental international collaboration, involving law enforcement agencies from France, Germany, the Netherlands, Norway, Switzerland, Ukraine, the UK, and the US. The FBI, with assistance from the Justice Department’s Computer Crime and Intellectual Property Section (CCIPS) and the U.S. Attorney’s Office for the Eastern District of New York’s National Security and Cybercrime Section, led the probe. The sophisticated nature of the attacks, which included customizing ransomware for each victim and disabling security tools, required extensive digital forensics and intelligence sharing to unravel.
“The charges against Volodymyr Tymoshchuk represent a significant step in dismantling a global cybercrime network that has inflicted immense financial and operational damage on critical industries worldwide. This ongoing pursuit underscores the relentless commitment of international law enforcement to bring these perpetrators to justice, no matter how sophisticated their operations.”
As of this breaking news, Volodymyr Tymoshchuk remains a fugitive. A federal arrest warrant has been issued, and the U.S. Department of State is offering a reward of up to $10 million for information leading to his arrest and/or conviction. His co-conspirator, Artem Stryzhak, was extradited from Spain in April 2025, pleaded guilty to conspiracy to commit computer fraud on December 19, 2025, and is scheduled for sentencing on May 6, 2026. This conviction provides crucial insight into the inner workings of the syndicate and strengthens the case against Tymoshchuk.
This case highlights critical red flags that organizations must address to protect themselves from such sophisticated cyber threats. Initial access was often gained through phishing, exposed remote services, or stolen credentials. Companies should implement robust email security, regular employee training on phishing awareness, and mandatory multi-factor authentication. Furthermore, regular patching of systems, strong network segmentation, advanced endpoint detection and response (EDR) solutions, and privileged access management (PAM) are crucial to prevent lateral movement and privilege escalation within networks. Organizations must also maintain robust, segmented, and regularly tested backup and recovery strategies to mitigate the impact of ransomware. Continuous security monitoring and a well-practiced incident response plan are essential to detect and respond to compromises before widespread damage occurs. Readers are urged to review their own digital defenses and remain vigilant against evolving cyber threats. For more information on related fraud investigations, visit our archives.




