Nefilim ransomware hacker faces prison after pleading guilty

Published: 22 December 2025
Last updated: 23 December 2025
a-monitor-with-a-virus

A Ukrainian national has pleaded guilty to committing computer fraud and extorting his victims in a series of international ransomware attacks.

Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national residing in Barcelona, Spain, conspired with others to deploy the Nefilim ransomware against his victims.

Stryzhak generated a unique ransomware executable file for each of his victims, along with a corresponding decryption key and customized ransom note. If a victim paid the ransom demand, Stryzhak would provide them with the decryption key so they could decrypt the files locked by the ransomware.

ADVERTISEMENT

If the victim refused to pay, Stryzhak threatened to publicly publish the stolen data on the Nefilim administrators’ “Corporate Leaks” website.

In June 2021, Nefilim administrators gave Stryzhak access to the Nefilim ransomware code in exchange for 20 percent of his ransom proceeds.

turnover-200-million-business
By Cybernews

The ransomware administrators asked him to target companies in the United States, Canada, or Australia with an annual turnover of over $100 million. Around July 2021, Stryzhak was encouraged to only attack businesses with a global turnover of more than $200 million.

The lead suspect and his co-conspirators researched potential victims after successfully gaining unauthorized access to their corporate networks. They were seeking information about the companies’ net worth, size, and contact details.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Stryzhak was arrested in Spain in June 2024 and extradited to the United States on April 30th, 2025.

According to a press release by the US Department of Justice, the Ukrainian national has pleaded guilty to conspiracy to commit computer fraud in connection with his Nefilim ransomware activities. He is scheduled to be sentenced on May 6th, 2026. He faces a maximum penalty of ten years in prison.

ADVERTISEMENT

Nefilim ransomware was first discovered in March 2020. Its affiliates used double extortion tactics to coerce victims to pay a ransom demand.

Curious what others think about this story? Contribute your thoughts to the debate below.

To install the malicious software, attackers used various methods, including exposed remote desktop protocols (RDPs) and a known Citrix vulnerability (CVE-2019-19781). Once installed, attackers used legitimate tools for lateral movement, dropping and executing other components, including the ransomware itself.

The ransomware appended the .NEFILIM file extension to encrypted files. Nefilim is believed to have later rebranded under other names, including Fusion, Milihpen, Gangbang, Nemty, and Karma.

Orange and Whirlpool are among the companies that were affected by Nefilim.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT