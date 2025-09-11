US DoJ puts $11 million bounty on ransomware king allegedly responsible for stealing $18 billion
Volodymyr Tymoshchuk is a very naughty boy.
The United States Department of Justice has placed an $11 million bounty on Ukrainian national Volodymyr Viktorovich Tymoshchuk—who also goes by the aliases deadforz, Boba, msfv, and farnetwork—accusing him of being the mastermind behind ransomware that has been used to attack over 250 US companies, as well as others around the world. The DoJ says that these cybercrimes resulted in the theft of an eye-watering $18 billion over three years.
Tymoshchuk is accused of being "an administrator" behind various ransomware including MegaCortex, LockerGoga, and Nefilim. From late 2018 to October 2021 Tymoshchuk is alleged to have first operated LockerGoga and MegaCortex attacks, which in the latter case changes the passwords and encrypts all files on a host computer, before issuing threats to the user and demands for payment. LockerGoga was used in an attack on Norsk Hydro, a Norwegian energy company, that affected all of its 170 sites and caused an estimated $81 million in damages.
When these ransomwares were decrypted by cybersecurity professionals, Tymoshchuk allegedly moved on to engineer and manage Nefilim, which is sold to third-party attackers in exchange for 20% of the funds stolen in successful attacks. Where MegaCortex was intended for corporate targets it ended up being used to target individual users, whereas Nefilim (per the indictment) focused exclusively on companies valued at $100 million and above (thanks, Tom's Hardware).
"Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world," said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division. "In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored. This prosecution and today’s rewards announcement reflects our determination to protect businesses from digital sabotage and extortion and to relentlessly pursue the criminals responsible, no matter where they are located."
"Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms," said US Attorney Joseph Nocella Jr. in a DoJ statement. "For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today's charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous."
It does sound like this is a cat-and-mouse game that's been going on for some time. The indictment says that, while Tymoshchuk and his co‑conspirators compromised more than 250 companies in the US, "many of these extortion attempts were unsuccessful" because the Feds were able to warn the companies affected before the actual ransomware was deployed. In addition to this, in September 2022 decryption keys for LockerGoga and MegaCortex were made publicly available as part of the "No More Ransomware" project.
Who wants to hear some FBI agents getting hot for justice? "Today’s announcement should serve as [a] warning: cyber criminals may believe they act with impunity while conducting harmful cyber intrusions, but law enforcement is onto you and will hold you accountable," said Assistant Director Christopher G. Raia of the FBI, adding that the bureau "will continue to scour the globe to bring to justice any individual attempting to use the anonymity of the internet to commit crime."
Special Agent Christopher J. S. Johnson adds that "The criminals behind Nefilim ransomware may believe they can profit from extortion and data leaks, but they are wrong."
Tymoshchuk is charged with seven counts in total: two counts of conspiracy to commit fraud and related activity in connection with computers, three counts of intentional damage to a protected computer, one count of unauthorized access to a protected computer, and one count of transmitting a threat to disclose confidential information. The charges could result in life in prison.
The US Department of State's Transnational Organized Crime Rewards Program is now offering rewards totaling up to $11 million for information that leads to the arrest and/or conviction of Tymoshchuk or his co-conspirators.
