Ryuk Ransomware Operator Pleads Guilty to Extracting 1,610 Bitcoin From US Firms

Published by James Harris on

Ryuk Ransomware Operator Pleads Guilty to Extracting 1,610 Bitcoin From US Firms — Bitcoin

What You Need to Know

  • Karen Serobovich Vardanyan pleaded guilty to conspiracy and computer fraud in Ryuk ransomware campaign.
  • Vardanyan’s group extracted approximately 1,610 bitcoin from US businesses between November 2019 and April 2020.
  • Ryuk attackers encrypted corporate networks, demanded bitcoin ransom payments, and provided decryption keys after payment.
  • One Michigan company paid 200 bitcoin, worth over $1.1 million at the time, for network recovery.

Federal prosecutors in Oregon secured a guilty plea on July 8 from Karen Serobovich Vardanyan, a 34-year-old Armenian national extradited from Ukraine, on charges of conspiracy and computer fraud tied to a Ryuk ransomware campaign that extracted roughly 1,610 bitcoin from US businesses between November 2019 and April 2020. At the time of the attacks, those payments were worth more than $15 million. Sentencing is scheduled for September 22, 2026, where a US District Judge will weigh the plea, restitution obligations, and federal guidelines. Vardanyan faces up to 15 years across both counts.

The mechanics were straightforward and effective. Vardanyan and his accomplices broke into corporate networks, deployed Ryuk to encrypt files across hundreds of workstations and servers, and left ransom notes directing victims to contact the group via email and pay in bitcoin to a wallet under the attackers’ control. Once payment cleared, decryption keys followed. One Michigan company alone paid 200 bitcoin, worth over $1.1 million at the time, to recover its network. A technology company in Wilsonville, Oregon, and a Texas school district were also hit.

Ryuk’s Place in the Ransomware-as-Extortion Playbook

Ryuk was not a fringe tool. By 2019 and 2020, it had become one of the most destructive ransomware strains targeting enterprise and institutional networks, linked in separate investigations to the Wizard Spider threat group operating out of Russia. The bitcoin-denominated ransom model was already well-established by then: attackers preferred it for pseudonymity, speed of settlement, and the absence of chargebacks. What made Ryuk campaigns particularly damaging was the deliberate targeting of large organizations with the capacity to pay, rather than the spray-and-pray approach of earlier ransomware waves.

The plea comes nearly five years after the attacks concluded. That lag is not unusual in transnational cybercrime cases, where extradition timelines, international cooperation, and blockchain tracing work all compound. The FBI’s investigation, supported by the Justice Department’s Office of International Affairs and Ukrainian authorities, reflects the same cross-border framework that has produced a string of ransomware arrests and extraditions since 2021, when the Colonial Pipeline attack pushed ransomware to the top of the US national security agenda and triggered a coordinated federal response.

What the Restitution Figure Actually Signals

Vardanyan agreed to restitution of just over $1.1 million, which corresponds roughly to the Michigan company’s payment alone. The gap between that figure and the $15 million total the operation received is significant. It almost certainly reflects what prosecutors could directly attribute to Vardanyan’s role and what assets were recoverable, not the full scope of victim losses. A complete victim list has not been released, and there is no public breakdown of which payments came from which attack.

The bitcoin tracing that enabled this prosecution has become considerably more sophisticated since 2020. Blockchain analytics firms now work routinely with the DOJ and FBI, and the government has demonstrated in several cases, including the 2022 recovery of bitcoin tied to the 2016 Bitfinex hack, that pseudonymous payments are traceable given enough time and resources. Ransomware operators who collected bitcoin in 2019 and 2020 under the assumption that those transactions were effectively anonymous have been repeatedly proven wrong.

The September 2026 sentencing date gives the court time to fully assess the restitution structure and the outstanding extortion count, which was not resolved by the plea, before a final disposition. Whether the unresolved count becomes leverage in sentencing or gets dropped entirely will determine how much of the full picture ever becomes public.

Categories: News

James Harris

Hi, I’m James Harris, dad of three, professional coffee maker (not drinker, as I make it for my wife), and the unlucky guy who once lost $48 in a crypto scam. Yep, forty-eight bucks. Not life-changing money, but just enough to sting my pride. That little scam lit a fire in me: if I could get fooled, so could anyone. And that’s how DodgeTheScam.com was born. Now I spend my time turning my mistake into your advantage. I dig into scams, fake sites, and shady schemes so you don’t have to learn the hard way. I keep things simple, honest, and sometimes funny, because staying safe online doesn’t have to feel like homework. My mission? To help you dodge scams, save your hard-earned money, and maybe give you a laugh or two along the way.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *