Skip to main content
Press Release

Ukrainian National Extradited from Spain to Face Conspiracy to Use Ransomware Charge

For Immediate Release
U.S. Attorney's Office, Eastern District of New York
Defendant Allegedly Took Part in Global Ransomware Scheme Using “Nefilim” Ransomware Strain

Earlier today, in federal court in Brooklyn, a superseding indictment was unsealed charging Artem Stryzhak with conspiracy to commit fraud and related activity, including extortion, in connection with computers, for his role in a series of international attacks using the Nefilim ransomware.  Stryzhak, a Ukrainian citizen, was arrested in Spain in June 2024 and extradited to the United States on April 30, 2025.  The arraignment will be held later today before United States Magistrate Judge Robert M. Levy.

John J. Durham, United States Attorney for the Eastern District of New York, and Christopher J.S. Johnson, Special Agent in Charge, Federal Bureau of Investigation, Springfield, Illinois Field Office (FBI), announced the charges.

“As alleged, the defendant was part of an international ransomware scheme in which he conspired to target high-revenue companies in the United States, steal data, and hold data hostage in exchange for payment.  If victims did not pay, the criminals then leaked the data online,” stated United States Attorney Durham.  “The criminals who carry out these malicious cyber-attacks often do so from abroad in the belief that American justice cannot reach them.  The extradition of the defendant and today’s charges prove that they are wrong.”

Mr. Durham also thanked the Justice Department’s Office of International Affairs, Computer Crime and Intellectual Property Section, the FBI’s New York Field Office and the Government of Spain for their crucial assistance in securing the arrest and extradition from Spain of Stryzhak.

“The FBI has long recognized that combating international ransomware schemes requires strong partnerships,” stated FBI Special Agent in Charge Johnson.  “The successful extradition of the defendant is a significant achievement in that ongoing collaboration and it sends a clear message: those who attempt to hide behind international borders to target American citizens will face justice.”

As alleged in the superseding indictment, Nefilim ransomware was deployed to encrypt computer networks in countries around the world, including in the Eastern District of New York.  These ransomware attacks caused millions of dollars in losses, both from ransomware payments and damage to victim computer systems.  The perpetrators of Nefilim typically customized the ransomware executable file for each victim, creating a unique decryption key and customized ransom notes.  If the victims paid the ransom demand, the perpetrators sent the decryption key, enabling the victims to decrypt the computer files locked by the ransomware program.

In June 2021, Nefilim administrators gave Stryzhak access to the Nefilim ransomware code in exchange for 20 percent of his ransom proceeds.  He operated the ransomware through his account on the online Nefilim platform, known as the “panel.”  When he first obtained access to the panel, Stryzhak asked a co‑conspirator whether he should choose a different username from the one he used in other criminal activities in case the panel “gets hacked into by the feds.”

Nefilim’s preferred ransomware targets were companies located in the United States, Canada, or Australia with more than $100 million in annual revenue. Stryzhak and others researched the companies to which they gained unauthorized access, including by using online databases to gather information about the victim companies’ net worth, size, and contact information.  In one exchange with Stryzhak in or about July 2021, a Nefilim administrator encouraged him to target companies in these countries with more than $200 million in annual revenue.

After gaining sufficient access to the victims’ networks, Stryzhak and his co‑conspirators stole data in furtherance of their scheme to extort ransom payments from them.  Nefilim ransom notes typically threatened the victims that unless they came to an agreement with the ransomware actors, the stolen data would be published on publicly accessible “Corporate Leaks” websites, which were maintained by Nefilim administrators.

The charges in the indictment are allegations and the defendant is presumed innocent unless and until proven guilty.  If convicted of the charge, Stryzhak faces up to five years’ imprisonment.

The government’s case is being handled by the Office’s National Security and Cybercrime Section.  Assistant United States Attorneys Alexander F. Mindlin and Ellen H. Sise of the Eastern District of New York and Trial Attorney Brian Mund of the Computer Crime and Intellectual Property Section are in charge of the prosecution, with assistance from Paralegal Specialist Rebecca Roth.

The Defendant:

ARTEM ALEKSANDROVYCH STRYZHAK
Age: 35
Barcelona, Spain 

E.D.N.Y. Docket No. 23-CR-324 (PKC)

Contact

John Marzulli
Denise Taylor                                          
United States Attorney’s Office
(718) 254-6323

Updated May 1, 2025

Topic
Cybercrime