Ukrainian man – Oleksii Oleksiyovych Lytvnenko following his extraction from Cork, Ireland to the US made his initial appearance in court indictment charged with conspiracy to deploy Conti Ransomeware attack globally.
https://www.justice.gov/opa/pr/ukrainian-national-extradited-ireland-connection-conti-ransomware
Was this Ukranian man who came in here under the government protection scheme involved in the Conti Ransomware attack on the HSE in May 2021?
Lytvynenko (Ukrainian lawyer) fled Ukraine in 2022 relocating to Cork, Ireland, with his wife and child to live here for free, receiving temporary protection status under EU rules for Ukrainian refugees.
He was arrested in Ireland in July 2023 at the U.S. request. He fought extradition (described in Irish court records as a Ukrainian lawyer), but lost his appeal in the Irish Court of Appeal in 2025 (case: The Attorney General v Oleksii Oleksiyovych Lytvynenko [2025] IECA 212).
He was living in Cork at that time, so it is fair to say that he could have been the actual instigator of this attack on the HSE on the ground here. If so why wasn’t he prosecuted here in Ireland. What other cyber-crimes did he commit in Ireland?
Conti Attacked Over 1,000 Victims, Resulting in at least $150 Million in Ransom Payments. The HSE conti ransomware attack here resulted in over 100,000 peoples data being put out onto the internet, including mine.
Following his extradition from Ireland, he had his initial appearance today in the Middle District of Tennessee on a 2023 indictment charging him with conspiracy to deploy Conti, a ransomware variant that infected victim computers and networks, encrypting their data.
According to court documents, from in or around 2020 and continuing until about June 2022, Oleksii Oleksiyovych Lytvynenko, 43, of Cork, Ireland, conspired with others to deploy Conti ransomware to extort victims and steal their data. Court filings allege the conspirators hacked into victims’ computer networks, encrypted their data, and demanded a ransom to restore the victims’ access to their files and avoid public disclosure of the hacked information.
The conspirators allegedly extorted more than $500,000 in cryptocurrency from two victims in the Middle District of Tennessee, and published information stolen from a third victim in that District.
Conti was used to attack more than 1,000 victims worldwide, including victims in the Middle District of Tennessee, approximately 47 states, the District of Columbia, Puerto Rico, and approximately 31 foreign countries. The FBI estimates that, as of January 2022, Conti ransomware attacks resulted in at least $150 million in ransom payments.
According to the FBI, in 2021, Conti ransomware was used to attack more critical infrastructure victims than any other ransomware variant. Court documents further allege that Lytvynenko controlled data stolen from numerous Conti victims and was involved in the ransom notes deployed on the victims’ systems.
At the request of the United States, An Garda Síochána—the Irish national police—arrested Lytvynenko in July 2023. An Irish court then detained him pending extradition proceedings which concluded this month. In addition to his involvement in Conti, filings allege that he engaged in cybercrime up until days before his arrest in Ireland in 2023.
“The defendant allegedly participated in a conspiracy to extort approximately $150 million in ransomware payments responsible for defrauding victims in almost every U.S. state and from over two dozen countries worldwide,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division. “Ransomware is a significant threat to the safety, security, and prosperity of American citizens and business.
The Department will continue to pursue ransomware actors all over the world in its efforts to hold them to account for the damage they have inflicted on victims.”
“We will continue to work diligently to hold ransomware actors accountable for their actions which victimize American businesses and harm Tennesseans,” said Acting United States Attorney Robert E. McGuire. “I commend the prosecutors and investigators who have worked hard and sought justice for years in this investigation, and we look forward to proving our case in court.”
“Lytvynenko conspired to deploy Conti ransomware against victims in the United States and across the globe, extorting millions in cryptocurrency and amassing a trove of stolen data,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division.
“His extradition demonstrates the strength of our partnership with Irish law enforcement and the FBI’s commitment to counter cyber criminals who threaten American infrastructure. We urge every organization to remain vigilant and quickly report ransomware intrusions to your local FBI field office.”
Lytvynenko is charged with computer fraud conspiracy and wire fraud conspiracy. If convicted, he faces a maximum penalty of 5 years in prison for the computer fraud conspiracy and 20 years in prison for the wire fraud conspiracy.
In September 2023, an indictment charging four other Conti conspirators was unsealed
in the Middle District of Tennessee.
The FBI’s Nashville, San Diego, and El Paso field offices and the U.S. Secret Service are investigating the case.
Trial Attorney Sonia V. Jimenez of the Justice Department’s Computer Crime and Intellectual Property Section, and Assistant U.S. Attorney Taylor Phillips of the Middle District of Tennessee are prosecuting the case.
The extradition was handled by the Justice Department’s Office of International Affairs with the cooperation of the Irish government and assistance from the U.S. Embassy in Ireland.
CCIPS investigates and prosecutes cybercrime in coordination with domestic and international law enforcement agencies, often with assistance from the private sector. CCIPS leads the Department of Justice’s fight against ransomware. Since 2020, CCIPS has secured the conviction of over 180 cybercriminals, and court orders for the return of over $350 million in victim funds.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Updated October 30, 2025
Component
Criminal – Computer Crime and Intellectual Property Section
Press Release Number: 25-1049
Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies
Thursday, September 7, 2023
For Immediate Release
Office of Public Affairs
Three indictments in three different federal jurisdictions have been unsealed charging multiple Russian cybercrime actors involved in the Trickbot malware and Conti ransomware schemes.
According to court documents and public reporting, Trickbot, which was taken down in 2022, was a suite of malware tools designed to steal money and facilitate the installation of ransomware. Hospitals, schools, and businesses were among the millions of Trickbot victims who suffered tens of millions of dollars in losses.
While active, Trickbot malware, which acted as an initial intrusion vector into victim computer systems, was used to support various ransomware variants, including Conti. Conti was a ransomware variant used to attack more than 900 victims worldwide, including victims in approximately 47 states, the District of Columbia, Puerto Rico, and approximately 31 foreign countries.
According to the FBI, in 2021, Conti ransomware was used to attack more critical infrastructure victims than any other ransomware variant.
“The Justice Department has taken action against individuals we allege developed and deployed a dangerous malware scheme used in cyberattacks on American school districts, local governments, and financial institutions,” said Attorney General Merrick B. Garland. “Separately, we have also taken action against individuals we allege are behind one of the most prolific ransomware variants used in cyberattacks across the United States, including attacks on local police departments and emergency medical services.
These actions should serve as a warning to cybercriminals who target America’s critical infrastructure that they cannot hide from the United States Department of Justice.”
“Today’s announcement shows our ongoing commitment to bringing the most heinous cyber criminals to justice – those who have devoted themselves to inflicting harm on the American public, our hospitals, schools, and businesses,” said FBI Director Christopher Wray. “Cyber criminals know that we will use every lawful tool at our disposal to identify them, tirelessly pursue them, and disrupt their criminal activity.
We, alongside our federal and international partners, will continue to impose costs through joint operations no matter where these criminals may attempt to hide.”
“The defendants charged in these three indictments across three different jurisdictions allegedly used their cyber knowledge and capabilities to victimize people and businesses around the world without regard for the damage they caused,” said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal Division. “These indictments should serve as a reminder that no matter a cybercriminal’s location, we will identify and pursue them by doing everything in our power to ensure they face the consequences of their actions.”
“Conti ransomware was used to exploit our financial systems and target hundreds of innocent victims,” said Special Agent in Charge William Mancino of the U.S. Secret Service’s Criminal Investigative Division. “The Secret Service will continue to work with our local, state, and federal law enforcement partners to investigate cybercriminals and bring offenders to justice.”
As detailed below, a federal grand jury in the Northern District of Ohio returned an indictment charging Maksim Galochkin, aka Bentley; Maksim Rudenskiy, aka Buza; Mikhail Mikhailovich Tsarev, aka Mango; Andrey Yuryevich Zhuykov, aka Defender; Dmitry Putilin, aka Grad and Staff; Sergey Loguntsov, aka Begemot and Zulas; Max Mikhaylov, aka Baget; Valentin Karyagin, aka Globus; and Maksim Khaliullin, aka Maxfax, Maxhax, and Kagas, all Russian nationals, with conspiring to use the Trickbot malware to steal money and personal and confidential information from unsuspecting victims, including businesses and financial institutions located in the United States and around the world, beginning in November 2015.
A federal grand jury in the Middle District of Tennessee returned an indictment charging Galochkin, Rudenskiy, Tsarev, and Zhuykov with conspiring to use Conti ransomware to attack businesses, nonprofits, and governments in the United States beginning in 2020 and continuing through June 2022.
A federal grand jury in the Southern District of California returned an indictment charging Galochkin in connection with the Conti ransomware attack on Scripps Health on May 1, 2021.
Northern District of Ohio
The indictment returned in the Northern District of Ohio charged all nine defendants for their alleged roles in developing, deploying, managing, and profiting from the malware known as Trickbot. Trickbot was a sophisticated, modular, multi-functional suite of malware tools which (a) infected victims’ computers with malware designed to capture victims’ online banking login credentials; (b) obtained and harvested other personal identification information, including credit cards, emails, passwords, dates of birth, social security numbers, and addresses; (c) infected other computers connected to the victim computer; (d) used the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts at financial institutions; (e) stole funds from victims’ bank accounts and laundered those funds using U.S. and foreign beneficiary bank accounts provided and controlled by the defendants and co-conspirators; and (f) installed ransomware on victim computers.
“As alleged in the indictment, Trickbot infected millions of computers worldwide, including those used by hospitals, schools, and businesses,” said U.S. Attorney Rebecca C. Lutzko for the Northern District of Ohio. “Today’s announcement demonstrates that these dangerous cybercriminals are not anonymous, as they once believed. The indictments unsealed today show the resolve of the international community to work together to bring cybercriminals to justice. We will continue to use all resources at our disposal to stop cybercrime.”
Each defendant is charged with one count of conspiracy to violate the Computer Fraud and Abuse Act, one count of wire fraud conspiracy, and one count of conspiracy to launder the proceeds of the scheme. The indictment also included an enhancement for falsely registering domains. If convicted, each defendant faces a maximum penalty of 62 years in prison.
Trickbot malware developers Alla Witte and Vladimir Dunaev were previously indicted and apprehended. Witte, a Latvian national pleaded guilty to conspiracy to commit computer fraud and was sentenced to 32 months in June 2023. Dunaev, a Russian national, currently is in custody and pending trial in Cleveland.
Middle District of Tennessee
The Middle District of Tennessee indictment charges that the individuals behind Conti ransomware, including Galochkin, Rudenskiy, Tsarev, and Zhuykov, conspired to use Conti to attack hundreds of victims. Conti’s victims included hospital systems, local governments, and foreign governments. Conti conspirators allegedly extorted funds from victims in the Middle District of Tennessee and encrypted the computer systems of a local sheriff’s department, a local police department, and local emergency medical services, among others. Ransom notes left on Conti victims’ computer systems typically boasted “if you don’t [know Conti] – just ‘google it.’”
“The conspirators who developed and deployed Conti ransomware victimized businesses, governments, and non-profits around the world, including a sheriff’s office and an emergency medical service in Tennessee,” said U.S. Attorney Henry C. Leventis for the Middle District of Tennessee. “We will continue to use the full power of this office to ensure that hackers can no longer hide behind their computer screens and to hold them accountable.”
Galochkin was a “crypter” for Conti, modifying the ransomware so that it would not be detected by anti-virus programs; Rudenskiy was a developer who supervised other Conti developers; Tsarev was a manager of other Conti conspirators; and Zhuykov was a systems administrator who managed users of Conti infrastructure, organized and paid for infrastructure and tools, and assisted in problem solving infrastructure-related issues.
Galochkin, Rudenskiy, Tsarev, and Zhuykov are each charged with one count of conspiracy to violate the Computer Fraud and Abuse Act and one count wire fraud conspiracy. If convicted, each defendant faces a maximum penalty of 25 years in prison.
Southern District of California
As alleged in the Southern District of California indictment, Galochkin caused the transmission of the Conti malware and impaired the medical examination, diagnosis, treatment, and care of one or more individuals.
Galochkin is charged with three counts of computer hacking. If convicted, he faces a maximum penalty of 20 years in prison.
“The indictment alleges a callous disregard for the medical care and the personal information of residents of the Southern District of California,” said Acting U.S. Attorney Andrew R. Haden for the Southern District of California. “This office is committed to protecting victims of cybercrime and holding perpetrators accountable.”
The FBI Cleveland Field Office is leading the investigation into Trickbot malware.
Assistant U.S. Attorneys Daniel Riedl and Duncan Brown for the Northern District of Ohio and Senior Counsel Candina Heath of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the Trickbot malware case.
The FBI San Diego, Memphis, and El Paso Field Offices, with U.S. Secret Service, are leading the investigation into Conti ransomware. The U.S. Attorney’s Office for the Western District of Texas provided significant assistance.
Assistant U.S. Attorney Taylor J. Phillips for the Middle District of Tennessee, Assistant U.S. Attorneys Jonathan Shapiro and Kareem Salem for the Southern District of California, and Trial Attorney Sonia V. Jimenez and Senior Counsel Ryan K.J. Dickey of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the Conti ransomware cases.
The Justice Department’s National Security Division provided significant assistance in the Conti ransomware and Trickbot malware investigations.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
