The $100M Stalker: Nefilim Ransomware Affiliate Pleads Guilty as DOJ Hunts Fugitive Leader
Ddos 
A Ukrainian national has admitted his role in the notorious Nefilim ransomware operation, confirming the inner workings of a “Big Game Hunting” scheme that ruthlessly targeted corporations with revenues exceeding $100 million. The Department of Justice (DOJ) announced that the defendant, who once worried openly about federal infiltration, now faces a decade behind bars.
Artem Aleksandrovych Stryzhak, 35, entered a guilty plea to conspiracy to commit computer fraud. “A Ukrainian national pleaded guilty today to one count of conspiracy to commit computer fraud for his role in a series of international ransomware attacks,” the DOJ confirmed.
According to court documents, Stryzhak joined the operation in June 2021, agreeing to a profit-sharing model where he kept 20 percent of the ransom proceeds. He managed his attacks through a sophisticated online platform known simply as the “panel.”
In a detail that highlights the paranoia often present in cybercriminal circles, prosecutors noted Stryzhak’s concern about operational security shortly after joining. He reportedly asked a co-conspirator if he should change his username to distinguish it from other criminal activities, specifically asking “in case the panel ‘gets hacked into by the feds.'”
Stryzhak’s fears were prescient. He was arrested in Spain in June 2024 and extradited to the United States on April 30.
The Nefilim group was highly selective, engaging in targeted research to maximize their payouts. They didn’t just cast a wide net; they stalked specific prey.
“Nefilim administrators preferred to target companies located in the United States, Canada, or Australia with annual revenues exceeding $100 million,” the DOJ stated. As the scheme progressed, the financial bar was raised even higher, with administrators encouraging affiliates to target organizations with annual revenues north of $200 million.
Stryzhak and his cohorts utilized online databases to vet potential victims, analyzing their “net worth, size, and contact information” before deploying the malware.
Once inside a network, the group employed the now-standard “double extortion” tactic. They didn’t just lock the files; they stole them.
“As part of the extortion scheme, the conspirators threatened that unless victims agreed to pay the ransom, the stolen data would be published on publicly accessible ‘Corporate Leaks’ websites maintained by Nefilim administrators.”
For those who paid, the group provided a customized decryption key. “As part of the scheme, the conspirators generated a unique ransomware executable file for each victim, along with a corresponding decryption key and customized ransom note.”
While Stryzhak awaits his sentencing—scheduled for May 6, 2026—the hunt for his associates is intensifying. The DOJ highlighted a massive bounty for another key figure in the conspiracy.
“The U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program has offered a reward of up to $11 million for information leading to the arrest and/or conviction or location of Stryzhak’s charged co-conspirator, Volodymyr Tymoshchuk.”
Stryzhak faces a maximum penalty of 10 years in prison.
Donate