Alleged Conti ransomware gang affiliate appears in Tennessee court after Ireland extradition

A Ukrainian national accused of launching ransomware attacks on behalf of the Conti group appeared in a U.S. court on Thursday after being extradited from Ireland. 

Oleksii Oleksiyovych Lytvynenko is facing several charges related to his suspected involvement with the Conti ransomware gang, which attacked hundreds of organizations globally before disbanding in 2022. 

The 43-year-old was indicted in 2023 on computer fraud conspiracy and wire fraud conspiracy charges. If convicted, he is facing a maximum penalty of 25 years in prison. 

Lytvynenko was arrested at his home in Cork, Ireland, by the country’s Garda Síochána national police in July 2023 at the request of U.S. authorities. 

U.S. prosecutors accuse Lytvynenko of being a Conti operator from 2020 to June 2022, infecting dozens of computers and networks before demanding ransoms. Lytvynenko was allegedly responsible for extorting about $500,000 from two victims in Tennessee and for publishing the stolen information of another organization in the state. 

Conti was one of the most active ransomware gangs at one point, and acting Assistant Attorney General Matthew Galeotti said Lytvynenko “allegedly participated in a conspiracy to extort approximately $150 million in ransomware payments.”

Galeotti added that Lytvynenko is “responsible for defrauding victims in almost every U.S. state and from over two dozen countries worldwide.”

Lytvynenko allegedly held data from a number of Conti victims and was involved in several attacks publicized by the group. When the group went defunct at the onset of Russia’s invasion into Ukraine, Lytvynenko allegedly continued his involvement in cybercrime. The DOJ did not respond to requests for comment about whether he was involved in other ransomware gangs. 

He had been held in an Irish jail since 2023 and went through lengthy extradition proceedings before being sent to the U.S. this month. 

“Lytvynenko conspired to deploy Conti ransomware against victims in the United States and across the globe, extorting millions in cryptocurrency and amassing a trove of stolen data,” said FBI Cyber Division assistant director Brett Leatherman. 

Four other members of the Conti ransomware gang were indicted in September 2023 after U.S. prosecutors accused them of targeting hospital systems, local governments, a local sheriff’s department, and local emergency medical services.

Another member of Conti was arrested by Ukrainian authorities last year in Kyiv.

Before shuttering its operation in 2022, the ransomware gang was in the midst of a devastating attack on the government of Costa Rica and had demanded a $20 million ransom. 

A member of Conti, believed to be Ukrainian, leaked the gang's internal chats after the group's leaders posted an aggressive pro-Russian message on their official site following Russia’s invasion of Ukraine. The leaked messages illustrated the group’s ruthless stances toward attacking U.S. hospitals during the COVID-19 pandemic and its ties to the Russian government. 

Researchers have traced several newer ransomware gangs — like Royal, Black Basta, and others — back to Conti.