Extortion to Extradition: Nefilim Ransomware Operator Pleads Guilty; Accomplice Remains at Large
Published
Key Takeaways
- Guilty plea: Affiliate-level involvement in Nefilim’s ransomware-as-a-service operation confirmed.
- Extortion to extradition: Spain-to-U.S. transfer of operator from Ukraine who extorted large enterprises.
- Ongoing probe: Authorities continue pursuing remaining Nefilim operators, one still at large.
In the latest development related to the Nefilim ransomware arrest, U.S. prosecutors have confirmed that the arrested individual, Artem Aleksandrovych Stryzhak, has pleaded guilty for his role in ransomware attacks against companies in the United States and other countries.
Stryzhak, 35, was residing in Barcelona, Spain, at the time of his arrest. He pleaded guilty to committing computer fraud as part of the Nefilim ransomware operation.
Nefilim Ransomware Case and Current Status
Stryzhak, a Ukrainian national, is linked to an ongoing investigation into Nefiliim, a financially motivated ransomware-as-a-service operation active since at least 2020.
He was arrested earlier in June 2024. Following proceedings in Spain, he was taken to the US on April 30, 2025. Sentencing for Stryzhak is scheduled for May 6, 2026 with a potential prison term of up to 10 years.
Authorities have identified another suspect linked to the Nefilim operation who is at large. He is a senior co-conspirator, for whom the U.S. State Department’s Transnational Organized Crime Rewards Program has offered a reward of up to $11M.
The case involved coordinated action by U.S. prosecutors, the FBI, Spanish law enforcement, and international justice authorities. The ongoinh operation is part of an ongoing campaign to stop ransomware actors across borders through arrests, extraditions, and criminal prosecutions.
Nefilim Cybercrime Operations
In 2021, administrators of the group granted him access to the ransomware’s backend platform, they called a “panel,” offered in exchange for a percentage of the extorted amount.
A DOJ press release read that the group preferred targeting companies in the U.S., Canada, and Australia
“In or about July 2021, a Nefilim administrator encouraged Stryzhak to target companies in those countries with more than $200 million dollars in annual revenue.”
Stryzhak used the panel to deploy ransomware, and extort enterprises after data theft and encryption. Victims were selected based on company size, revenue, and location. After compromising corporate networks, they would fix the ransom amount.
Each attack involved distinct ransomware binaries and decryption keys. The ransom posts threatened publication of stolen data on publicly accessible websites they referred to as Corporate Leaks maintained by Nefilim administrators.
“If a victim paid the ransom demand, the perpetrators provided the decryption key, enabling the victim to decrypt files locked by the ransomware,” read the US DOJ press release. The case follows other recent cross-border cybercrime crackdowns, including a Europe-wide operation that dismantled large-scale fraud call centers in Ukraine.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular