The U.S. Department of Justice has indicted a Ukrainian national who led the ransomware hacking groups LockerGoga, MegaCortex, and Nefilim, while Europol has added him to its “most wanted” list.
The U.S. Department of Justice has indicted a Ukrainian national who led the ransomware hacking groups LockerGoga, MegaCortex, and Nefilim, while Europol has added him to its “most wanted” list.
According to the US Department of Justice, Volodymyr Tymoshchuk, known as deadforz, Boba, msfv and farnetwork, was allegedly the main organizer of ransomware attacks from December 2018 to October 2021. He is accused of cyberattacks on more than 250 US companies and hundreds more around the world, including in France, Germany, the Netherlands, Norway and Switzerland, which caused serious business disruptions, large-scale data encryption and significant financial losses, writes The Cyber Express.
The U.S. Department of Justice alleges that Tymoshchuk and his accomplices created custom ransomware for each victim, allowing only unique decryption keys to be used. When victims received decryptors for older versions of the programs, Tymoshchuk responded by deploying new variants.
In addition, another Ukrainian, Artem Stryzhak, who was extradited from Spain in May 2025, was a possible accomplice associated with the Nefilim campaign.
Meanwhile, Europol has added Tymoshchuk to its list of “most wanted” criminals, promising up to $10 million for information leading to his capture.
“This individual, a Ukrainian citizen, is believed to be a leading figure in the organized crime network responsible for the 2019 ransomware attack on a major Norwegian aluminum company, as well as a series of other global cyberattacks,” Europol said in a statement.
The reference is to the March 18, 2019 attack on Norwegian aluminum producer Norsk Hydro.
“The fugitive is wanted by several countries and is considered a prime target for international law enforcement,” Europol added.
According to Europol, Ukrainian law enforcement officers have already detained some of the group's members. Their investigation helped to clarify the hierarchy and determine the role of each participant - from malware developers to attackers and money launderers.
“Those responsible for infiltrating the network did so using techniques such as brute force attacks, SQL injections and phishing emails with malicious attachments to steal usernames and passwords,” Europol said at the time. Once inside the network, the attackers remained undetected and gained additional access using tools including the TrickBot malware, Cobalt Strike and PowerShell Empire to compromise as many systems as possible before launching a ransomware attack.
For information leading to the apprehension, arrest, or conviction of Tymoshchuk, the US Department of State, as part of its Transnational Crime Program, is offering a reward of up to $11 million.
