Artem Aleksandrovych Stryzhak, a Ukrainian national, was extradited from Spain to the United States on April 30, 2025, to face charges linked to his involvement in Nefilim ransomware attacks. Arrested in Spain in June 2024, Stryzhak allegedly participated in cyberattacks targeting high-revenue companies primarily located in the United States, Europe, and other countries. The U.S. Department of Justice claims that Stryzhak became an affiliate of the Nefilim ransomware operation in June 2021. In exchange for his services, he received 20% of any ransom payments generated by the attacks he was involved in.
Stryzhak and his co-conspirators used online platforms like Zoominfo to research potential targets, focusing on companies with annual revenues over $200 million. These targets included firms in the U.S., Norway, France, Switzerland, Germany, and the Netherlands. They gathered detailed information about their targets, such as company size, revenue, and contact details. The Nefilim group then carried out their attacks by breaching corporate networks, stealing sensitive data, and encrypting files using ransomware. Once encrypted, attackers demanded ransom payments in bitcoin for the decryption keys, with threats of publicly leaking stolen data if the victims refused to pay.
The Nefilim ransomware, which first emerged in 2020, shares much of its code with the Nemty ransomware. The encryption process used AES-128 encryption, and encrypted files were marked with the “.NEFILIM” file extension. Ransom notes labeled “NEFILIM-DECRYPT.txt” were created throughout the victim’s device to warn that stolen data would be made public within seven days if no negotiations began. The group rebranded the ransomware over time, using various names such as Fusion, Milihpen, Gangbang, Nemty, and Karma. These attacks have had significant financial implications for the companies involved, with victims including well-known firms like Toll Group, Orange, and Whirlpool.
Stryzhak faces serious charges in connection with conspiracy to commit fraud and related extortion activities, specifically concerning computer systems. His indictment was unsealed in federal court in Brooklyn, where he is set for arraignment before U.S. Magistrate Judge Robert M. Levy. If convicted, Stryzhak could face up to five years in prison for his role in the ransomware attacks. His extradition and the ongoing legal proceedings highlight the growing global efforts to hold cybercriminals accountable for their actions.
Reference:
