EU and U.S. authorities are hunting Ukrainian fugitive Volodymyr Tymoshchuk, accused of leading a ransomware network behind the LockerGoga attacks that crippled industries, disrupted supply chains and cost companies billions.
A Ukrainian man accused of leading a global ransomware network has been placed on the European Union’s Most Wanted list. Authorities say he played a central role in deploying the LockerGoga malware, which crippled companies worldwide and caused billions of dollars in damages.
The fugitive, identified as Volodymyr Tymoshchuk, is wanted in multiple countries and has been labeled a high-priority target for international law enforcement.
He is best known for the 2019 attack on Norsk Hydro, a Norwegian aluminum producer. The breach encrypted company data and shut down production, disrupting global supply chains. Norsk Hydro later said the attack cost tens of millions of dollars and forced it to switch temporarily to manual operations at several sites.
The suspect’s identification stems from a yearslong probe coordinated by Europol and Eurojust. Investigators from France, Germany, Norway, Switzerland, Ukraine, the United Kingdom and the United States mapped the structure of the group, which Europol said operated like a multinational business with separate roles for developers, hackers and money launderers.
Earlier this week, U.S. prosecutors unsealed a superseding indictment charging Tymoshchuk, also known online as “deadforz,” “Boba,” “msfv” and “farnetwork.” The indictment alleges that between 2018 and 2021, Tymoshchuk and his accomplices used LockerGoga, MegaCortex and Nefilim ransomware to attack more than 250 U.S. companies and hundreds more worldwide.
The announcement came as U.S. authorities deepened their pursuit.
The FBI and Justice Department are also involved in the manhunt, and the State Department said its Transnational Organized Crime Rewards Program has offered up to $10 million under the Transnational Organized Crime Rewards Program for information leading to Tymoshchuk’s arrest or conviction in any country. It also announced a separate reward of up to $1 million for tips on other key leaders of the Nefilim, LockerGoga and MegaCortex ransomware groups.
“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said U.S. Attorney Joseph Nocella.
Prosecutors allege Tymoshchuk specifically sought out companies in the United States, Canada or Australia with annual revenues over $100 million. In a 2021 exchange with a co-conspirator, he encouraged targeting firms with more than $200 million in revenue. Authorities say the group extorted victims by encrypting networks and threatening to publish stolen data on so-called “Corporate Leaks” sites unless ransoms were paid.
Several members of the group have already been arrested in Ukraine. Authorities say those detained include malware developers, intrusion specialists and financial operators who laundered proceeds through complex schemes.
Investigators believe Tymoshchuk personally deployed LockerGoga in some of the most damaging attacks.
LockerGoga, first seen in early 2019, gained notoriety for its destructive power. Unlike some ransomware that merely encrypts files, it often left systems so damaged that recovery took months and cost millions. Norsk Hydro refused to pay the ransom, but the disruption underscored the rising threat of ransomware against industrial targets.
