Oleksii Oleksiyovych Lytvynenko, a 43-year-old Ukrainian national, has been successfully extradited to the United States and now faces serious federal charges for his alleged involvement with the notorious Conti ransomware operation. Lytvynenko was apprehended by Irish national police, An Garda Síochána, in July 2023 at the request of the U.S. and was recently transferred following the conclusion of his extradition proceedings this month. If convicted, the charges of wire fraud conspiracy, which carries a maximum of 20 years, and computer fraud conspiracy, which carries 5 years, could collectively land him a maximum sentence of 25 years in federal prison.
The suspect allegedly played a critical role in the cybercrime group’s double extortion activities between 2020 and June 2022. Specifically, court documents state that Lytvynenko was involved in controlling data stolen from numerous Conti victims and participating in the delivery of ransom notes. Assistant Director Brett Leatherman of the FBI’s Cyber Division stated that Lytvynenko “conspired to deploy Conti ransomware against victims in the United States and across the globe, extorting millions in cryptocurrency and amassing a trove of stolen data.” Furthermore, the Department of Justice added that the conspirators allegedly extorted more than $500,000 in cryptocurrency from two victims and published information stolen from a third victim in the Middle District of Tennessee alone.
The Russian-based Conti cybercrime gang launched its operation in 2020, replacing the Ryuk ransomware group, and rapidly grew into a full-scale syndicate. It soon assumed control over the development of multiple affiliated malware operations, including TrickBot and BazarBackdoor. The Department of Justice has since linked Conti to attacks on over 1,000 victims worldwide, reporting that the group had already collected more than $150 million in ransom payments as of January 2022. According to FBI estimates, Conti’s malware was responsible for more attacks on critical infrastructure than any other single ransomware variant in that period.
Although the criminals behind the operation have since shut down the official ‘Conti’ brand, the syndicate’s members did not cease their activity; instead, they quickly reorganized into smaller, specialized cybercrime cells. These groups have since infiltrated or completely taken over various other high-profile ransomware or cybercrime operations, including BlackCat, Black Basta, ZEON, and Hive. By splitting into new entities like AvosLocker, Quantum, BlackByte, Karakurt, and the Bazarcall collective, former Conti members have ensured they remain an active and destructive force within the global cyber landscape.
The extradition of Lytvynenko is the latest success in a coordinated international effort to combat the remnants of the Conti and TrickBot operations. In September 2023, the U.S. and the United Kingdom jointly sanctioned and charged nine Russian nationals linked to the groups for global attacks against more than 900 victims. Earlier, in February 2023, seven other Conti/TrickBot members were also sanctioned following the massive data leaks known as the ContiLeaks and TrickLeaks. Continuing the pressure, in May 2025, the Federal Criminal Police Office of Germany (BKA) even doxed the alleged leader of the entire enterprise, identifying him as 36-year-old Russian national Vitaly Nikolaevich Kovalev, who used the alias “Stern.”
Reference:
