A Ukrainian national accused of helping launch high-profile Nefilim ransomware attacks has been extradited from Spain to the United States, where he now faces federal charges tied to data theft, extortion, and conspiracy.

The suspect, Artem Stryzhak, was arrested in 2024 and is now formally indicted in a case that sheds light on how ransomware-as-a-service (RaaS) operations target some of the world’s biggest companies—with devastating financial consequences.

According to court documents unsealed this week, Stryzhak became a Nefilim affiliate in mid-2021, gaining access to the ransomware platform’s infrastructure in exchange for 20% of the ransom proceeds. He allegedly worked directly with Nefilim operators to identify and compromise companies with annual revenues over $200 million.

Once inside a target’s network, Stryzhak and his co-conspirators exfiltrated sensitive corporate data, then used the threat of public exposure to pressure victims into paying ransom demands. Each attack was customized, using unique decryption keys and tailored ransom notes, suggesting a deliberate, hands-on approach.

The list of affected sectors is broad—aviation, chemical, engineering, insurance, oil and gas, even eyewear manufacturing. The indictment points to millions of dollars in losses, not just in ransom payments but also in damaged systems and business disruption.

Nefilim itself has been active since March 2020, operating globally and hitting targets across the U.S., Europe, Canada, and Australia. As a RaaS operation, it provided ransomware infrastructure to affiliates like Stryzhak, who handled the actual intrusions and extortion work.

Federal prosecutors are treating this case as a message. “The criminals who carry out these malicious cyber-attacks often do so from abroad in the belief that American justice cannot reach them,” said U.S. Attorney John J. Durham. “The extradition of the defendant and today’s charges prove that they are wrong.”

It’s a rare but impactful example of international cooperation on ransomware, and one that security teams will want to follow—especially as RaaS operators continue to scale their reach and sophistication.