Threat Summary
Category: Transnational Cybercrime
Features: Ransomware administration, extortion of industrial/healthcare targets, fugitive indictment, law enforcement coordination across borders
Delivery Method: Exploitation of vulnerabilities, pre-existing infections (Emotet/Qakbot), custom ransomware payloads
Threat Actor: Volodymyr Viktorovich Tymoshchuk (“deadforz,” “Boba,” “msfv,” “farnetwork”), affiliated ransomware groups and affiliates
The U.S. Department of Justice has unsealed an indictment charging Volodymyr Viktorovich Tymoshchuk, a Ukrainian national, for his central role in administering several notorious ransomware families — LockerGoga, MegaCortex, and Nefilim. Operating between December 2018 and October 2021, Tymoshchuk allegedly directed attacks on hundreds of organizations across the U.S. and Europe, causing millions in damages and crippling sectors that included manufacturing, healthcare, and industrial services.
Known in underground forums by multiple handles — deadforz, Boba, msfv, farnetwork — Tymoshchuk earned a reputation among cybercriminals as a serial ransomware operator who evolved his methods each time law enforcement or security researchers released decryptors for his malware.
He is currently a fugitive, with the U.S. State Department offering $11 million for information leading to his capture.
Major Incidents Attributed to Tymoshchuk’s Ransomware
- LockerGoga (2019): Infamous for its devastating attack on Norsk Hydro, a Norwegian aluminum producer, which caused widespread shutdowns and an estimated $104 million in damages. Additional confirmed victims include Altran (France), Hexion, and Momentive (U.S.).
- MegaCortex (2019–2020): Known for its complexity and links to precursor infections such as Emotet and Qakbot, this strain often infiltrated corporate environments through exposed infrastructure and stolen credentials.
- Nefilim (2020–2021): Emerged as a high-pressure extortion ransomware targeting industrial firms and healthcare institutions. One affiliate, Artem Stryzhak, was extradited from Spain in May 2024.
According to DOJ officials, Tymoshchuk’s attacks often resulted in total operational shutdowns until victims either paid ransoms or rebuilt from backups — a tactic designed to maximize leverage through disruption.
Law Enforcement Response
The charges against Tymoshchuk include:
- 2 counts of conspiracy to commit fraud
- 3 counts of intentional damage to a protected computer
- 1 count of unauthorized access to a protected computer
- 1 count of transmitting threats to disclose confidential information
European and U.S. law enforcement had been tracking LockerGoga and MegaCortex operations since 2019. In October 2021, a multinational Europol-led operation — involving Norway, France, the Netherlands, Ukraine, the U.K., Germany, Switzerland, and the U.S. — resulted in the arrest of 12 affiliates tied to these ransomware families. Additional arrests followed in 2023, further dismantling the networks but leaving Tymoshchuk at large.
Decryptors were later released as part of the No More Ransom Project — LockerGoga in September 2022, and MegaCortex in January 2023 — giving victims a recovery path without paying.
Systemic Threats
Experts such as Bogdan Botezatu (Bitdefender) note that MegaCortex was not a lone-wolf operation but a team-based enterprise, with roles specialized in vulnerability exploitation, lateral movement, and payload deployment. This reflects the broader industrialization of ransomware: a supply-chain model where malware developers, affiliates, and infrastructure managers collaborate across borders.
The DOJ stressed that Tymoshchuk adapted quickly to law enforcement pressure, creating new strains and tactics as older ones were neutralized. In several cases, operations were only stopped because agencies were able to warn victims in real time, preventing encryption before execution.
Parallel Case — BlackDB.cc
Alongside Tymoshchuk’s indictment, prosecutors announced that Liridon Masurica, a 33-year-old from Kosovo, pleaded guilty to running BlackDB.cc, a major cybercriminal marketplace active from 2018–2025. The platform sold compromised accounts, server credentials, credit card data, and personal information, enabling large-scale tax fraud, credit card theft, and identity crimes.
Masurica was arrested in December 2024 and extradited to the U.S., where he faces up to 10 years in prison for conspiracy to commit access device fraud. His guilty plea underscores the convergence of ransomware and data marketplaces — two pillars of the modern cybercrime economy.
Forecast — 30 Days
- Increased pursuit of fugitives like Tymoshchuk as U.S. and European agencies prioritize high-profile ransomware figures.
- Greater reliance on rewards programs (like the $11M bounty) to encourage whistleblowers and rival criminals to provide intelligence.
- Targeted strikes on underground marketplaces to dismantle ransomware support infrastructure.
- Ransomware evolution: Expect continued emergence of successor strains built on lessons from LockerGoga and MegaCortex.
- Policy impact: Renewed debate on international extradition treaties and the use of financial sanctions against harboring states.
TRJ Verdict
The Tymoshchuk indictment proves a point we’ve seen play out across the ransomware economy: personalities matter as much as payloads. When a skilled administrator coordinates operations across multiple ransomware families, the result is not random cybercrime — it’s industrialized extortion, with supply chains, partnerships, and global impact.
While decryptors and coordinated arrests have disrupted LockerGoga and MegaCortex, the fact that Tymoshchuk remains at large shows the limits of law enforcement reach. Until fugitives like him are captured — and until states crack down on the jurisdictions that harbor them — ransomware will continue to regenerate like a hydra, each arrest giving rise to new strains and affiliates.
This isn’t just about data or downtime. It’s about the fragility of the global digital economy when criminal syndicates can hold factories, hospitals, and infrastructure hostage from safe havens abroad.
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
I hope a bounty like that (11M) will loosen a tongue or two or put some bounty hunters on the trail of Tymoshchuk. That devastating attack on Norsk Hydro must have Norwegian officials very interested in this guy’s capture. He’s a one man wrecking crew.
It’s great that they caught the guy from Kosovo.
Thanks for this report, John. I’ll be looking forward to the day you report on Tymoshchuk’s capture.
You’re exactly right, Chris — a bounty of $11 million is no small figure, and history shows that kind of incentive tends to shake loose information one way or another. Someone always knows something, and money like that can turn whispers into leads fast. Norsk Hydro alone makes Tymoshchuk one of the most wanted ransomware operators in the world — Norway’s officials won’t rest until there’s closure on that attack, and neither will U.S. and European investigators.
Calling him a one-man wrecking crew is spot on. Between LockerGoga, MegaCortex, and Nefilim, the scale of destruction he’s left behind is staggering. Entire operations crippled, industrial output halted, healthcare institutions disrupted — he didn’t just steal money, he endangered lives.
You’re also right to highlight the Kosovo case. Each arrest in this network chips away at the larger web, and it sends the message that even cybercriminals who hide behind borders and aliases aren’t untouchable. Tymoshchuk might be running for now, but as we’ve seen time and again, patience and pressure usually catch up.
Thank you very much, Chris — your perspective always cuts to the heart of it. 😎
You’re welcome, John, and thank you for the informative reply. I can understand the Norwegians being so upset along with everyone else this guy has crippled. If I had any idea how to track this guy, I might consider investing a bit to land that bounty. I hope someone else deserves it soon!