US charges admin of LockerGoga, MegaCortex, Nefilim ransomware
The U.S. Department of Justice has charged Ukrainian national Volodymyr Viktorovich Tymoshchuk for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. Tymoshchuk is on the most wanted lists of both the EU and the FBI. He has been involved in ransomware attacks that compromised hundreds of companies, resulting in millions of dollars in damages, according to a superseding indictment unsealed today.
Between July 2019 and June 2020, Tymoshchuk and his accomplices allegedly breached the networks of over 250 companies across the United States and many more worldwide in LockerGoga and MegaCortex ransomware attacks. However, in many of these incidents, they failed to deploy the ransomware on the victims’ networks due to early law enforcement alerts.
From July 2020 to October 2021, Tymoshchuk allegedly served as an administrator of the Nefilim ransomware operation, providing access to affiliates, including co-defendant Artem Aleksandrovych Stryzhak, who was extradited from Spain in April 2025, in exchange for 20 percent of the ransom proceeds.
In November 2023, cybersecurity company Group-IB linked Tymoshchuk to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs, helping them recruit affiliates on multiple Russian-speaking hacker forums since April 2019.
“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said U.S. Attorney Joseph Nocella Jr. “In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored,” Acting Assistant Attorney General Matthew R. Galeotti added.