“The defendant and his conspirators used the Conti ransomware to terrorize people and businesses in the United States and around the world, causing millions of dollars in damage,” A. Tysen Duva, the Justice Department’s assistant attorney general for the criminal division, said in a statement after a longtime member of Conti pleaded guilty in federal court Wednesday.
Oleksii Oleksiyovych Lytvynenko: plea, charges and custody
On Wednesday, Oleksii Oleksiyovych Lytvynenko — also known as Alexsey Alexseevich Litvinenko — pleaded guilty in federal court to conspiracy to commit wire fraud for his role in Conti’s ransomware campaign. The 44-year-old Ukrainian national admitted he joined Conti in September 2021 and acknowledged developing malware used in some attacks. He faces up to 20 years in prison at sentencing, which is scheduled for Sept. 10.
Lytvynenko was arrested in Ireland in July 2023, extradited to the United States in October 2025, and remains in federal custody in Tennessee, where at least three of his victims are based. Prosecutors said he left Ukraine in 2022, obtained temporary protective status in Ireland, and was residing in Cork at the time of his arrest.
Role inside Conti and post-disbandment activity
According to the Justice Department, Lytvynenko held data on 12 victims — eight of them based in the United States — and admitted to creating malware that Conti deployed. Authorities said he continued engaging in cybercriminal activity after Conti formally disbanded and its members splintered into new groups.
Officials noted a detail from the arrest: he “was asleep but within arms’ reach of an open laptop running Cobalt Strike” when detained. Brett Leatherman, assistant director of the FBI’s cyber division, framed the plea as part of accountability, saying in a statement that “Lytvynenko profited from fear and coercion, conspiring to use Conti ransomware to extort victims and steal their data.”
Scale of Conti’s operations and broader impact
Conti was among the most prolific ransomware groups of its time. The Justice Department says members and their co-conspirators used Conti ransomware to attack more than 1,000 victims globally, ensnaring victims in 47 U.S. states, Washington, Puerto Rico and roughly 31 other countries. The FBI estimates Conti extorted more than $150 million in ransom payments from victims.
The group’s victims included hundreds of critical infrastructure providers and national-level targets: the Justice Department statement cites Conti’s 2022 attack on Costa Rica’s government. The group’s leaders drew high-level attention — the State Department offered a $10 million reward for information relating to Conti’s leaders. Conti’s operational resilience was also noted: after a massive 2022 leak exposed internal chats, the group rebuilt infrastructure and continued operations until disbanding later that year.
Following the breakup, members of the Cyrillic-language group rebranded into at least three subgroups: Zeon, Black Basta and Quantum, which then rebranded to Royal and later to BlackSuit in 2024, according to the Justice Department account.
Tennessee victims: bitcoin payments, leaks and local impacts
Prosecutors provided specific local consequences tied to Lytvynenko’s admitted conduct. They said he and co-conspirators extorted roughly $634,000 in Bitcoin from two victims in Tennessee. One of those victims was described as an undisclosed government entity; the compromise stemming from that intrusion affected a sheriff’s department, local emergency medical services and a local police department.
In a separate instance detailed in an indictment unsealed last fall, prosecutors said Lytvynenko and co-conspirators leaked data they stole from another Tennessee-based victim after that organization declined a $3 million ransom demand.
Co-defendants, prosecutions and the Justice Department’s posture
Four alleged co-conspirators were named in related 2023 indictments in the same federal court: Maksim Galochkin, Maksim Rudenskiy, Mikhail Mikhailovich Tsarev and Andrey Yuryevich Zhuykov. The Justice Department characterized Lytvynenko’s guilty plea as a meaningful step toward holding cybercriminals accountable for global damage.
Officials have tied the single defendant’s activity to a far larger, distributed campaign of extortion and data theft. The factual record presented by prosecutors connects Lytvynenko to a subset of Conti operations — malware development, possession of stolen victim data and financial extortion — within a multinational network that affected public and private entities across jurisdictions.
Sentencing for Lytvynenko is set for Sept. 10; his plea marks a prosecutorial milestone in a sprawling case that links specific technical acts and victim impacts to the broader history of one of the 2020s’ most consequential ransomware groups.
