Ukrainian National Extradited from Ireland in Connection with Conti Ransomware

Following his extradition from Ireland, a Ukrainian man had his initial appearance today in the Middle District of Tennessee on a 2023 indictment charging him with conspiracy to deploy Conti, a ransomware variant that infected victim computers and networks, encrypting their data.

According to court documents, from in or around 2020 and continuing until about June 2022, Oleksii Oleksiyovych Lytvynenko, 43, of Cork, Ireland, conspired with others to deploy Conti ransomware to extort victims and steal their data. Court filings allege the conspirators hacked into victims’ computer networks, encrypted their data, and demanded a ransom to restore the victims’ access to their files and avoid public disclosure of the hacked information.  The conspirators allegedly extorted more than $500,000 in cryptocurrency from two victims in the Middle District of Tennessee, and published information stolen from a third victim in that District.

Conti was used to attack more than 1,000 victims worldwide, including victims in the Middle District of Tennessee, approximately 47 states, the District of Columbia, Puerto Rico, and approximately 31 foreign countries. The FBI estimates that, as of January 2022, Conti ransomware attacks resulted in at least $150 million in ransom payments. According to the FBI, in 2021, Conti ransomware was used to attack more critical infrastructure victims than any other ransomware variant.  Court documents further allege that Lytvynenko controlled data stolen from numerous Conti victims and was involved in the ransom notes deployed on the victims’ systems.

At the request of the United States, An Garda Síochána—the Irish national police—arrested Lytvynenko in July 2023. An Irish court then detained him pending extradition proceedings which concluded this month. In addition to his involvement in Conti, filings allege that he engaged in cybercrime up until days before his arrest in Ireland in 2023.

“The defendant allegedly participated in a conspiracy to extort approximately $150 million in ransomware payments responsible for defrauding victims in almost every U.S. state and from over two dozen countries worldwide,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division. “Ransomware is a significant threat to the safety, security, and prosperity of American citizens and business. The Department will continue to pursue ransomware actors all over the world in its efforts to hold them to account for the damage they have inflicted on victims.”

“We will continue to work diligently to hold ransomware actors accountable for their actions which victimize American businesses and harm Tennesseans,” said Acting United States Attorney Robert E. McGuire. “I commend the prosecutors and investigators who have worked hard and sought justice for years in this investigation, and we look forward to proving our case in court.”

“Lytvynenko conspired to deploy Conti ransomware against victims in the United States and across the globe, extorting millions in cryptocurrency and amassing a trove of stolen data,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division. “His extradition demonstrates the strength of our partnership with Irish law enforcement and the FBI’s commitment to counter cyber criminals who threaten American infrastructure. We urge every organization to remain vigilant and quickly report ransomware intrusions to your local FBI field office.”

Lytvynenko is charged with computer fraud conspiracy and wire fraud conspiracy. If convicted, he faces a maximum penalty of 5 years in prison for the computer fraud conspiracy and 20 years in prison for the wire fraud conspiracy.

In September 2023, an indictment charging four other Conti conspirators was unsealed in the Middle District of Tennessee.

The FBI’s Nashville, San Diego, and El Paso field offices and the U.S. Secret Service are investigating the case.

Trial Attorney Sonia V. Jimenez of the Justice Department’s Computer Crime and Intellectual Property Section, and Assistant U.S. Attorney Taylor Phillips of the Middle District of Tennessee are prosecuting the case.

The extradition was handled by the Justice Department’s Office of International Affairs with the cooperation of the Irish government and assistance from the U.S. Embassy in Ireland.

CCIPS investigates and prosecutes cybercrime in coordination with domestic and international law enforcement agencies, often with assistance from the private sector.  CCIPS leads the Department of Justice’s fight against ransomware.  Since 2020, CCIPS has secured the conviction of over 180 cybercriminals, and court orders for the return of over $350 million in victim funds.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.