CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Volodymyr Tymoshchuk Charged for LockerGoga, MegaCortex, Nefilim Ransomware Operations

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

Ukrainian national Volodymyr Viktorovich Tymoshchuk has been charged for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. Tymoshchuk is accused of orchestrating attacks on hundreds of companies, leading to millions of dollars in damages. He is also linked to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs. Tymoshchuk faces multiple charges related to computer fraud, unauthorized access, and threatening to disclose confidential information. The U.S. Department of State is offering a reward of up to $11 million for information leading to his arrest. Additionally, Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty to conducting Nefilim ransomware attacks targeting high-revenue businesses across the United States and other countries. Stryzhak was arrested in Spain in June 2024 and extradited to the U.S. on April 30, 2025. He admitted to computer fraud conspiracy charges and faces up to 10 years in prison, with sentencing scheduled for May 6, 2026. Stryzhak obtained access to the Nefilim ransomware code in June 2021 and targeted large corporations, using custom-tailored malware and threatening to leak stolen data unless ransom demands were met. Stryzhak asked a co-conspirator whether he should choose a different username to avoid detection by authorities. Nefilim ransomware has been rebranded as Fusion, Milihpen, Gangbang, Nemty, and Karma.

Timeline

  1. 22.12.2025 12:15 1 articles · 23h ago

    Nefilim ransomware rebranded as Fusion, Milihpen, Gangbang, Nemty, Karma

    Nefilim ransomware has been rebranded under several other names, including Fusion, Milihpen, Gangbang, Nemty, and Karma.

    Show sources
    Open in new tab
  2. 22.12.2025 11:46 2 articles · 1d ago

    Artem Stryzhak pleads guilty to Nefilim ransomware attacks

    Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty to conducting Nefilim ransomware attacks targeting high-revenue businesses across the United States and other countries. Stryzhak was arrested in Spain in June 2024 and extradited to the U.S. on April 30, 2025. He admitted to computer fraud conspiracy charges and faces up to 10 years in prison, with sentencing scheduled for May 6, 2026. Stryzhak obtained access to the Nefilim ransomware code in June 2021 and targeted large corporations, using custom-tailored malware and threatening to leak stolen data unless ransom demands were met. Stryzhak asked a co-conspirator whether he should choose a different username to avoid detection by authorities.

    Show sources
    Open in new tab
  3. 09.09.2025 19:08 2 articles · 3mo ago

    Ukrainian national Volodymyr Tymoshchuk charged for LockerGoga, MegaCortex, Nefilim ransomware operations

    Volodymyr Viktorovich Tymoshchuk, a Ukrainian national, has been charged for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. Tymoshchuk is accused of orchestrating attacks on hundreds of companies, leading to millions of dollars in damages. He is also linked to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs. The U.S. Department of State is offering a reward of up to $11 million for information leading to his arrest. Additionally, Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty to conducting Nefilim ransomware attacks targeting high-revenue businesses across the United States and other countries. Stryzhak was arrested in Spain in June 2024 and extradited to the U.S. on April 30, 2025. He admitted to computer fraud conspiracy charges and faces up to 10 years in prison, with sentencing scheduled for May 6, 2026. Stryzhak obtained access to the Nefilim ransomware code in June 2021 and targeted large corporations, using custom-tailored malware and threatening to leak stolen data unless ransom demands were met.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Yanluowang Ransomware Initial Access Broker Pleads Guilty

Aleksey Olegovich Volkov, a Russian national, pleaded guilty to acting as an initial access broker (IAB) for the Yanluowang ransomware group, facilitating attacks on at least eight U.S. companies between July 2021 and November 2022. Volkov breached corporate networks and sold access to the ransomware group, which encrypted victims' data and demanded ransoms ranging from $300,000 to $15 million. Investigators recovered chat logs, stolen data, and evidence linking Volkov to the attacks, including a potential connection to the LockBit ransomware gang. Volkov faces up to 53 years in prison and must pay over $9.1 million in restitution.

Open in new tab

Conti Ransomware Member Extradited from Ireland to US

Oleksii Oleksiyovych Lytvynenko, a 43-year-old Ukrainian national, has been extradited from Ireland to the United States and appeared in a Tennessee court on charges related to the Conti ransomware operation. He is accused of conspiring to deploy Conti ransomware, extorting over $500,000 in cryptocurrency from victims in the Middle District of Tennessee, and publishing stolen information. The Conti ransomware operation has been linked to over 1,000 victims worldwide, with ransom payments exceeding $150 million as of January 2022. Lytvynenko faces charges that could lead to 25 years in prison, including 20 years for wire fraud conspiracy and 5 years for computer fraud conspiracy. He was arrested in July 2023 by Irish authorities and detained until his extradition. The Conti group, initially a ransomware operation, evolved into a larger cybercrime syndicate, controlling multiple malware operations. After shutting down, its members have infiltrated other cybercrime groups. The FBI estimates Conti's malware was used in more critical infrastructure attacks than any other ransomware variant.

Open in new tab

Russian Sandworm Group Targets Ukrainian Organizations with Data-Wiping Malware and LotL Tactics

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations, including a business services firm, a local government entity, and the grain sector, using living-off-the-land (LotL) tactics and dual-use tools to maintain persistent access and exfiltrate sensitive data. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services.

Open in new tab

Scattered Spider member sentenced to 10 years for wire fraud and conspiracy

Noah Michael Urban, a key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison for wire fraud and conspiracy. Urban, also known by several aliases, was arrested in January 2024 and pleaded guilty in April. He was involved in stealing millions from cryptocurrency wallets, hacking companies to loot confidential data, and running phishing schemes targeting various companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. Urban will also pay $13 million in restitution to more than 30 victims. Scattered Spider is a fluid collective known for sophisticated social engineering attacks, including phishing, SIM swapping, and MFA bombing. They have targeted high-profile organizations worldwide, such as Twilio, Coinbase, and Reddit. The group escalated their attacks in September 2023, breaching MGM Resorts and encrypting over 100 VMware ESXi hypervisors using BlackCat ransomware. They have also partnered with various ransomware operations, including Qilin, RansomHub, and DragonForce. In a separate development, two British teenagers, Thalha Jubair and Owen Flowers, were arrested in September 2024 for their alleged involvement in the Transport for London (TfL) breach. They pleaded not guilty to computer misuse and fraud-related charges. The TfL breach in August 2024 caused millions of pounds in damage and exposed customer data. Jubair and Flowers are also facing additional charges related to attacks on other organizations, including SSM Health Care Corporation, Sutter Health, and U.S. courts.

Open in new tab

ShinyHunters and Scattered Spider Collaboration

The **ShinyHunters and Scattered Spider collaboration** has escalated with a **new extortion campaign targeting PornHub Premium members**, following the **Mixpanel data breach on November 8, 2025**. ShinyHunters, confirmed as the perpetrator, stole **94GB of data** containing **over 200 million records** of PornHub users' historical search, watch, and download activity from 2021 or earlier. The stolen data includes **email addresses, video URLs, keywords, locations, and timestamps**, which the group is now using to extort victims, including PornHub, via ransom demands. PornHub confirmed the breach impacted its Premium users but clarified that **no passwords, payment details, or financial information were exposed** and that the compromise stemmed from a **third-party vendor (Mixpanel)**, not its own systems. **Mixpanel has disputed the origin of the data**, stating it was last accessed by a legitimate PornHub employee account in 2023 and that there is no evidence it was stolen during their November 2025 incident. This latest attack follows a year-long pattern of **high-impact breaches** by ShinyHunters and Scattered Spider, including the **$107 million loss at the Co-operative Group (U.K.)**, **Jaguar Land Rover’s operational shutdown**, and breaches at **Allianz Life, Farmers Insurance, and Workday**, all exploiting **Salesforce platform vulnerabilities**. The groups have also targeted **Almaviva/FS Italiane Group**, **Zendesk users**, and now **Mixpanel customers**, demonstrating their ability to **leverage third-party IT providers, cloud-based CRM systems, and analytics platforms** to maximize data exposure. Despite arrests (e.g., **Scattered Spider members Owen Flowers and Thalha Jubair**) and claims of shutdowns, the threat persists, with authorities like the **FBI and U.K. NCA** issuing ongoing alerts as the groups adapt tactics, including **smishing, OAuth token abuse, and AI-enhanced tooling** to evade detection. The **Gainsight cyber-attack** further expanded in late November 2025, with Salesforce confirming a **larger, unspecified number of victims** beyond the initial three disclosed. The breach involved **unauthorized access via an AT&T IP address on November 8**, followed by **reconnaissance and intrusions using VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**. Forensic investigations revealed the attackers exploited **compromised multifactor credentials**, prompting Gainsight to advise customers to **rotate S3 keys, reset passwords, and re-authorize integrations**. Meanwhile, the **SLSH alliance unveiled ShinySp1d3r**, a **ransomware-as-a-service (RaaS) platform** with **advanced anti-forensic capabilities** and **network propagation tools**, administered by core member **Saif Al-Din Khader (aka Rey)**, who claims cooperation with law enforcement since June 2025. The alliance has been linked to **51 cyberattacks in the past year**, combining **RaaS, extortion-as-a-service (EaaS), and insider recruitment** to maximize impact across sectors.

Open in new tab