A 33-year-old network access specialist tied to the Ryuk ransomware gang has been extradited to face charges in the United States.
A foreign national arrested in Kyiv in April 2025 has been extradited to the US as of June 18, where he faces charges related to his role in the Ryuk ransomware operation. The unnamed 33-year-old suspect allegedly helped the ransomware gang by identifying vulnerabilities in corporate networks, giving Ryuk members a foothold for launching cyberattacks.
The extradition follows a coordinated international investigation led by Ukrainian cyber police, national authorities, and global law enforcement partners, who began probing multiple ransomware groups in 2023.
The suspect reportedly worked as an initial access broker, a role that involves scanning and exploiting weaknesses in victim networks and selling or passing along that access to ransomware operators. Ukrainian police say the hacker’s efforts enabled Ryuk affiliates to infiltrate companies across several countries, including the US, France, Norway, Germany, the Netherlands, and Canada.
The wider operation also led to arrests connected to other ransomware strains such as LockerGoga, MegaCortex, Hive, and Dharma. Devices were seized, and multiple actors residing in Ukraine were apprehended for their roles in facilitating or executing attacks.
Ryuk was particularly active between 2018 and 2020 and is believed to have earned roughly $150 million through ransom payments. The group rebranded as Conti in 2020 and was among the most prolific cybercrime syndicates until its shutdown in 2022. Conti’s dissolution gave rise to several smaller, still-active groups.
Ukraine’s National Police issued a statement confirming the arrest and extradition, explaining that the suspect had been on an international wanted list and was charged with several cybercrimes in the US. Investigators were able to identify him by analyzing data collected during prior enforcement actions.
The US Department of Justice has not yet commented publicly on the extradition.
An initial access broker specializes in finding and exploiting network vulnerabilities, then selling or handing off that access to ransomware operators who use it to carry out attacks.
Extradition is a legal process where one country transfers a suspect to another based on existing treaties. It requires cooperation between law enforcement and judicial systems in both countries.
Ryuk was responsible for a wave of attacks on healthcare systems and hospitals during the pandemic, targeting infrastructure while organizations were most vulnerable.
Ryuk rebranded as Conti in 2020, carrying over much of the same infrastructure, personnel, and tactics before officially disbanding in 2022.
Yes. While Conti formally shut down, several offshoots and affiliates continue to operate independently, using similar ransomware tools and techniques.