Ransomware

Ukrainian extradited to US for alleged Nefilim ransomware attack spree

Federal law enforcement officials accuse Artem Stryzhak, who was arrested in Spain last year, of attacking and extorting multiple companies between 2018 and 2021.

By Matt Kapko

May 1, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

The Department of Justice building in Washington, DC, on February 9, 2022. (Photo by STEFANI REYNOLDS/AFP via Getty Images)

Federal authorities extradited a Ukrainian citizen to the United States on Wednesday to face charges for participating in a series of ransomware cyberattacks on organizations based in the U.S. and multiple European countries.

Artem Stryzhak, 35, was arrested in Spain in June 2024 and was scheduled to appear for arraignment Thursday in the U.S. District Court for the Eastern District of New York. Stryzhak is accused of conspiracy to commit fraud and related activity, including extortion.

Prosecutors accuse Stryzhak and his co-conspirators of using Nefilim ransomware to encrypt computer networks in the U.S., Canada, France, Germany, Australia, the Netherlands, Norway and Switzerland between late 2018 to late 2021.

“As alleged, the defendant was part of an international ransomware scheme in which he conspired to target high-revenue companies in the United States, steal data, and hold data hostage in exchange for payment. If victims did not pay, the criminals then leaked the data online,” John Durham, U.S. attorney for the Eastern District of New York, said in a statement.

The Nefilim administrators and affiliates preferred to target companies located in the U.S., Canada or Australia with more than $100 million in annual revenue, officials said.

Stryzhak and unnamed co-conspirators are accused of attacking and extorting multiple companies, according to a superseding indictment that was unsealed Thursday. Officials said the series of ransomware attacks caused millions of dollars in losses, including extortion payments and damage to victim computer systems.

Stryzak’s alleged victims in the U.S. include an engineering consulting company based in France, an aviation industry company in New York, a chemical company in Ohio, an insurance company in Illinois, a company in the construction industry in Texas, a pet care company in Missouri, an international eyewear company and a company in the oil and gas transportation industry.

Stryzhak reached an agreement with Nefilim administrators to use the ransomware in exchange for 20% of the proceeds he extorted from Nefilim victims, according to the indictment.

“The criminals who carry out these malicious cyberattacks often do so from abroad in the belief that American justice cannot reach them,” Durham said. “The extradition of the defendant and today’s charges prove that they are wrong.”