$10 Million Bounty: The Hunt for Ransomware Kingpin Behind $18 Billion in Global Damage

Breached Company

Breached Company

6 min read
$10 Million Bounty: The Hunt for Ransomware Kingpin Behind $18 Billion in Global Damage

Bottom Line Up Front: The US Department of Justice has placed a record $10 million bounty on Ukrainian ransomware operator Volodymyr Tymoshchuk, the alleged mastermind behind some of the most devastating cyberattacks of the past decade. His group's campaigns caused over $18 billion in global damage, including the $75 million attack on aluminum giant Norsk Hydro that brought production to a standstill across 170 sites worldwide.

The Most Wanted Cybercriminal

The US Department of State's Bureau of International Narcotics and Law Enforcement Affairs announced a reward offer of up to $10 million under the Transnational Organized Crime Rewards Program for information leading to the arrest and/or conviction of Ukrainian malicious cyber actor Volodymyr Viktorovych Tymoshchuk. The bounty places him alongside some of the world's most wanted terrorists and drug kingpins.

Known online under aliases such as 'deadforz,' 'Boba,' 'msfv,' and 'farnetwork,' Tymoshchuk is accused of developing ransomware variants including Nefilim, LockerGoga, and MegaCortex, used in cyberattacks against global organizations since 2018. The 29-year-old Ukrainian national remains at large despite an international manhunt involving multiple countries.

A Criminal Empire Worth Billions

The scale of Tymoshchuk's alleged operation is staggering. According to the superseding indictment filed in the Eastern District of New York, Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world.

Between July 2019 and June 2020, Tymoshchuk and his co‑conspirators are alleged to have compromised the networks of more than 250 victim companies in the United States and hundreds of other companies around the world with LockerGoga and MegaCortex. However, many attacks were thwarted by law enforcement intervention.

The financial impact extends far beyond ransom payments. These ransomware attacks caused millions of dollars of losses, including damage to victim computer systems, remediation costs, and ransomware payments to the perpetrators.

The Norsk Hydro Case Study: When Ransomware Meets Reality

The most high-profile example of Tymoshchuk's alleged work came in March 2019 when Norsk Hydro, one of the world's largest aluminum producers, was hit by LockerGoga ransomware that would ultimately affect all 35,000 employees across 40 countries, locking files on thousands of servers and PCs.

The attack began months earlier with a deceptively simple vector. In December 2018, hackers had weaponized one email attachment sent by a trusted customer employee to an employee at Norsk Hydro – part of a legitimate conversation. This single compromised email would eventually cost the company tens of millions.

The Human Cost

The impact was immediate and severe. The LockerGoga ransomware had compromised information technology (IT) systems and impacted all company employees — more than 35,000 — across the 40 countries in which the aluminum giant had operations. Production lines that had run for decades were suddenly operating with pen and paper.

The Financial Toll

Initial estimates put the cost at NOK 300-350 million or around $40 million, but the true impact would be much higher. The impact in the first six months of the year could reach $75m, making it one of the most expensive ransomware attacks in corporate history.

The Response That Set a New Standard

Norsk Hydro's response became a case study in crisis management. At the emergency meeting, Norsk Hydro executives made three swift decisions: They would pay no ransom, they would summon Microsoft's cybersecurity team to help restore operations and they would be fully open about the breach.

Senior staff held regular webcasts where they answered questions; executives held daily press conferences; the company posted updates on Facebook; and Norsk Hydro welcomed journalists into their control rooms. This transparency earned praise from law enforcement and cybersecurity experts worldwide.

The Technical Arsenal: Three Ransomware Variants

Tymoshchuk's alleged operation wasn't limited to a single tool. The indictment details his role in three major ransomware families:

LockerGoga

First discovered on January 24, 2019, during the attack on the Altran company and has since expanded to more than 1800 victims in 71 countries, including Norsk Hydro and Hexicon. The ransomware was particularly dangerous because certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.

MegaCortex and Nefilim

From approximately July 2020 through October 2021, Tymoshchuk was one of the administrators of Nefilim ransomware, a "ransomware as a service" enterprise that provided ransomware tools to affiliates in turn for a percentage of the ransom proceeds.

Sophisticated Targeting Strategy

This wasn't random cybercrime. Tymoshchuk at times described his preferred ransomware targets as companies located in the United States, Canada, or Australia with more than $100 million in annual revenue. The operation showed clear strategic thinking.

Tymoshchuk researched companies to target, using online databases to gather information about the victim companies' net worth, size, and contact information. After gaining access, Nefilim ransom notes typically threatened the victims that unless they came to an agreement with the ransomware actors, the stolen data would be published on publicly accessible "Corporate Leaks" websites.

Law Enforcement Strikes Back

The investigation represents unprecedented international cooperation. Today's announcement was made in coordination with the Department of Justice, FBI, and Europol, and our partners in Germany, France, and Norway.

Previous Arrests In October 2021, Europol announced the arrest of unnamed individuals responsible for the Norsk Hydro attack, with Norway's National Criminal Investigation Service confirming that the targeted individuals were responsible for the attack.

Disruption Efforts Law enforcement didn't just pursue arrests. In September 2022, as part of an international coordinated effort against LockerGoga and MegaCortex ransomware, decryption keys associated with those ransomware variants were made available to the public via the "No More Ransomware Project". This allowed victims to recover their data without paying ransoms.

A New Era of Cyber Enforcement

The $10 million bounty represents a significant escalation in how governments approach cybercrime. By placing a substantial bounty on Tymoshchuk and his associates, the US government is employing a powerful tool from its anti-terrorism and anti-drug trafficking playbooks and applying it to the world of cybercrime.

The $10 million for Tymoshchuk positions him in the same league as some of the most-wanted terrorists and drug kingpins. This demonstrates the US government's view that ransomware is not just a form of digital theft but a critical national security threat.

The Broader Context: Ransomware as Economic Warfare

The Tymoshchuk case illustrates how ransomware has evolved from opportunistic cybercrime to sophisticated economic warfare. The targeting of critical infrastructure companies like Norsk Hydro demonstrates the potential for cyber attacks to disrupt entire supply chains and economic sectors.

Industry Impact The aluminum industry felt the Norsk Hydro attack's ripple effects globally. The attack affected the entire global organization, with the business area Extruded Solutions having suffered the most significant operational challenges and financial losses. Manual operations at facilities from Norway to Oregon showed how quickly modern industrial operations can be thrown back decades.

Insurance and Recovery The case also highlighted gaps in cyber insurance coverage. Norsk Hydro is expecting some compensation from its cyber insurance policy, but it has so far not given any details of how much that is likely to be or when it is expected to be paid.

What This Means for Organizations Today

The Tymoshchuk bounty sends a clear message: ransomware operators are no longer viewed as mere cybercriminals but as threats to national security and economic stability. For organizations, this case offers several critical lessons:

Preparation is Everything: Norsk Hydro's ability to continue operations manually likely prevented even greater losses. Organizations must plan for complete system failures.

Transparency Pays: Norsk Hydro's open communication strategy earned them support from law enforcement, partners, and even competitors during their recovery.

Don't Pay Ransoms: The company's refusal to pay, while costly in the short term, demonstrated that recovery without funding criminal operations is possible.

The Hunt Continues

Despite these efforts, Tymoshchuk remains a fugitive. The FBI has established dedicated channels for tips, including WhatsApp/Signal at +1-917-242-1407 or by email at [email protected].

The Department is also offering a separate REWARD OFFER OF UP TO $1 MILLION for information leading to the arrests and/or convictions of other key leaders (other than Tymoshchuk and a known co-conspirator) of the Nefilim, LockerGoga, and MegaCortex ransomware variants.

Conclusion: A Turning Point in Cyber Justice

The $10 million bounty on Volodymyr Tymoshchuk represents more than just a manhunt—it's a declaration that the era of consequence-free cybercrime is ending. His alleged operation, which caused $18 billion in global damage and brought one of the world's largest aluminum producers to its knees, demonstrates the devastating potential of modern ransomware.

The case of Norsk Hydro, with its $75 million price tag and global production disruption, shows that ransomware attacks are no longer just IT problems—they're existential business threats that can cripple critical infrastructure and supply chains worldwide.

For organizations today, the lesson is clear: the question isn't whether you'll face a ransomware attack, but whether you'll be prepared when it comes. Tymoshchuk's sophisticated targeting of high-revenue companies shows that no organization is too large or too secure to be a target.

As law enforcement closes in with unprecedented international cooperation and record bounties, the message to cybercriminals is equally clear: the internet is no longer a sanctuary for digital extortion. The hunt for the $18 billion ransomware kingpin continues, but the real victory may already be won—in showing that transparency, preparation, and refusing to negotiate with cyber terrorists can triumph over even the most sophisticated attacks.

For tips on Volodymyr Tymoshchuk, contact the FBI at +1-917-242-1407 (WhatsApp/Signal) or [email protected]. All identities are kept strictly confidential.

Read more

When GitHub Became the Battlefield: How AI-Powered Malware and Workflow Hijacking Exposed Thousands of Developer Secrets

When GitHub Became the Battlefield: How AI-Powered Malware and Workflow Hijacking Exposed Thousands of Developer Secrets

Date: September 8, 2025 Combined Impact: 5,505+ Compromised Accounts Secrets Stolen: 5,674+ Credentials Attack Vectors: AI Tool Weaponization & GitHub Actions Exploitation Primary Targets: Developer Credentials, Cloud Infrastructure, Cryptocurrency Wallets Executive Summary In a devastating one-two punch against the software development ecosystem, two sophisticated supply chain attacks—s1ngularity

By Breached Company
The Great NPM Heist: How 2 Billion Weekly Downloads Were Weaponized in History's Largest JavaScript Supply Chain Attack

The Great NPM Heist: How 2 Billion Weekly Downloads Were Weaponized in History's Largest JavaScript Supply Chain Attack

Date: September 8, 2025 Impact: 2+ Billion Weekly Downloads Affected Packages: 18+ Core JavaScript Utilities Attack Vector: Phishing-Enabled Account Takeover Primary Target: Cryptocurrency Wallets and Transactions Executive Summary On September 8, 2025, the JavaScript ecosystem experienced its most devastating supply chain attack to date when threat actors compromised the npm

By Breached Company