A suspected Conti ransomware participant is now in U.S. custody and has admitted helping a crew tied to more than 1,000 victims and at least $150 million in ransom payments.
CybersecurityJune 13, 2026· 5 min read· By XOOMAR Insights Team
Conti Ransomware Coder Admits Role in $150M Shakedown
Updated on June 13, 2026
XOOMAR Intelligence
Analyst Take
58/ 100
4 sources analyzedLow confidenceTrend10Freshness98Source Trust88Factual Grounding94Signal Cluster20
Oleksii Oleksiyovych Lytvynenko, a 44-year-old Ukrainian national extradited from Ireland to the United States last year, pleaded guilty to conspiracy to commit wire fraud in connection with Conti attacks, according to BleepingComputer. The Justice Department said the plea was entered Wednesday and announced Thursday.
Ukrainian defendant admits role in Conti ransomware case after Ireland extradition
Federal prosecutors say Lytvynenko joined the Conti conspiracy no later than approximately September 2021, during the period when the ransomware operation was hammering organizations in the United States and abroad.
The admitted conduct is specific. Lytvynenko possessed data stolen from eight U.S. victims and four overseas victims, and he joined a team run by another Conti conspirator where he worked on coding a “loader”, malware used to load programs needed to carry out other malicious attacks.
That detail matters. Prosecutors are not describing him as Conti’s public boss or a top negotiator. They are tying him to the operational machinery: stolen data, ransomware deployment, and malware development.
“The defendant and his conspirators used the Conti ransomware to terrorize people and businesses in the United States and around the world, causing millions of dollars in damage,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division.
The Justice Department said Conti conspirators hacked victim computers and networks, encrypted data, and demanded payment to restore access and prevent public disclosure of stolen information. That double-pressure model was central to Conti’s leverage over victims.
The DOJ said Conti was used from 2020 until 2022 to attack computers and networks in 47 states, 31 foreign countries, the District of Columbia, and Puerto Rico. The FBI estimates that, as of January 2022, Conti attacks produced at least $150 million in ransom payments.
BleepingComputer described Conti as one of the most prolific cybercrime groups active at the time, targeting hospitals, businesses, schools, and government agencies worldwide. The group later shut down in 2022 after internal chats leaked and law enforcement pressure intensified.
Conti plea shows how old ransomware cases are still moving through courts
The plea is another sign that U.S. ransomware cases can outlive the brands behind them. Conti’s name has largely disappeared from active public use, but prosecutors are still working through alleged participants, infrastructure, payments, and supporting roles.
That is the enforcement value of extradition. Ransomware suspects often operate outside the United States, beyond easy arrest. Moving Lytvynenko from Ireland into U.S. custody turned a cross-border cybercrime case into a federal prosecution.
The DOJ said the arrest and extradition involved the Justice Department’s Office of International Affairs, the Irish Department of Justice, Home Affairs, and Migration, the Irish Office of the Attorney General, and the Garda National Cyber Crime Bureau.
The case also sits inside Operation Riptide, an FBI campaign targeting criminal actors, infrastructure, and financial networks behind cybercrime, cyber-enabled crime, and fraud. The DOJ said Americans reported over $20 billion in cybercrime losses last year, a 26 percent single-year increase.
That broader pressure has shown up in other ransomware-adjacent enforcement actions too. XOOMAR recently covered the takedown of an alleged crypto-laundering service in the AudiA6 ransomware crypto-laundering case, another example of authorities going after the financial rails around extortion crews.
| Case element | What prosecutors tied to Lytvynenko |
|---|---|
| Charge | Conspiracy to commit wire fraud |
| Group | Conti ransomware operation |
| Admitted timing | Joined no later than approximately September 2021 |
| Victim data | Data from eight U.S. victims and four overseas victims |
| Technical role | Worked on coding a “loader” |
| Maximum penalty | 20 years in prison |
The Conti case also connects to a wider cluster of ransomware brands. BleepingComputer reported that security researchers believe former Conti members later splintered into groups including BlackCat, Black Basta, ZEON, Hive, Quantum, BlackByte, Karakurt, and the Silent Ransom Group.
Analysis: that splintering limits the value of celebrating Conti’s collapse as a clean endpoint. The public brand disappeared, but the people, tooling, and playbooks did not necessarily vanish with it.
Sentencing could reveal how much prosecutors can tie to one Conti operator
Lytvynenko is scheduled to be sentenced on Sept. 10, 2026, and faces a maximum penalty of 20 years in prison. A federal district court judge will determine the sentence after weighing the U.S. Sentencing Guidelines and statutory factors.
The public record still leaves important gaps. Prosecutors have not, in the provided materials, assigned a specific ransom total to Lytvynenko personally. They also have not said whether seized crypto or other assets connected to his conduct could be returned to victims.
That is where the next phase matters. Guilty pleas in ransomware cases can produce more intelligence on developers, affiliates, hosting providers, payment paths, and operational handoffs, even when the first public filing stays narrow.
The DOJ said an indictment charging four other Conti conspirators was unsealed in the Middle District of Tennessee in September 2023. That makes Lytvynenko’s plea part of a continuing case structure, not a standalone press release.
For defenders, there is no patch attached to this prosecution. This is not a new vulnerability disclosure. The operational lesson is simpler: Conti’s history shows how data theft, encryption, and payment pressure were fused into one extortion process, and law enforcement is still tracing the people who helped make that process work.
The practical watch item now is sentencing. If prosecutors disclose more about Lytvynenko’s role, money flows, victim links, or cooperation, the case could add detail to how Conti functioned after the fact. If they do not, the plea still sends a narrower message: even after a ransomware brand shuts down, its alleged operators may remain exposed to extradition and prosecution years later.
Impact Analysis
- The guilty plea advances U.S. efforts to hold individual ransomware operators accountable.
- Conti was linked to more than 1,000 victims and at least $150 million in ransom payments.
- The case highlights how malware developers and data handlers can face prosecution even if they are not public leaders of a ransomware group.
Victim data tied to Lytvynenko
U.S. victims
victims8
Overseas victims
victims4
Sources
- [1] BleepingComputer
- [2] Ukrainian National Pleads Guilty to Wire Fraud Conspiracy in Connection with Conti Ransomware
- [3] Conti ransomware group member pleads guilty, faces up to 20 years in prison
- [4] Ukrainian national pleads guilty to role in Conti ransomware operation - Live Threat Intelligence - Threat Radar | OffSeq.com
Written by
XOOMAR Insights Team
Research and Editorial Desk
The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.
Explore More Topics
Related Articles
CybersecurityCoupang Data Breach Triggers a $400M Boardroom Crisis
South Korea's record fine turns Coupang's massive breach into a costly warning for data-hungry platforms.
Jun 12, 20268 min
CybersecurityVoid Blizzard Suspect Lands in Boston. Secrets Are at Risk
Obrezko's Boston case puts Void Blizzard's alleged infrastructure trail on trial, testing how much cyber intelligence prosecutors can reveal.
Jun 12, 202612 min
Cybersecurity1,500 Hacked Routers Drag AI Datacenters Into Spy War
China-linked actors are rebuilding botnets and testing AI datacenter narratives, turning local fights into strategic terrain.
Jun 11, 20268 min
CybersecurityAudiA6 Washed $380M in Crypto. Cops Just Crushed It
Authorities crushed AudiA6, a $380M crypto laundering hub allegedly used by ransomware crews to cash out stolen funds.
Jun 11, 20265 min
Cybersecurity3 Days to Kill Check Point VPN Bug, CISA Tells Feds
CISA gave agencies 72 hours to fix a Check Point VPN flaw already exploited as a zero-day by attackers.
Jun 9, 20267 min
Global TrendsTrump Torches Iran Peace Deal Leak as Cash Fight Erupts
Trump rejected Iran's leaked terms, but the real fight is sequencing: frozen cash, nuclear concessions, and political credit.
Jun 13, 202612 min
TradingBitcoin's $59K Bottom Call Tempts Bruised Bulls Again
Standard Chartered says Bitcoin's $59K low ended crypto winter. ETF flows and macro shocks still decide whether that call survives.
Jun 13, 20267 min
Global TrendsUSA vs Paraguay Free Stream: Beat the Kick-Off Rush
USA vs Paraguay has legal free streams on Tubi, BBC and SBS, but the smart move is testing access before kick-off.
Jun 12, 20268 min
TechnologySiri AI Finally Works, and Apple Grabs the AI Edge
Siri AI may finally be useful, turning Apple's biggest assistant punchline into a serious AI distribution play.
Jun 13, 20268 min
Cybersecurity9,000 Scam Sites: Google Says Gemini Helped Build Them
Google says a China-based scam network used Gemini to automate phishing at brutal scale: 9,000 fake sites and 2.5 million texts.
Jun 13, 20268 min
Don't miss the signal
Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.
Free forever. No spam. Unsubscribe anytime.