Ukrainian national extradited from Ireland to the U.S. pleads guilty to conspiracy to commit wire fraud for involvement in the Conti ransomware operation

​This post is written by Peter Oakes, a leading financial services expert who has led the establishment of anti-money laundering enforcement functions at Central Banks (Ireland and Saudi Arabia) and worked as a senior regulator in Australia (ASIC) and UK (FSA/FCA).  These days Peter is non-executive director of, and advisor to, financial services companies in Europe Union and the UK.

This is a very good money laundering typology for AML training, especially if looking for an international ransomware-as-a-service case involving cryptocurrency, Ireland, the USA and how the High Court of Ireland exercises extradition treaty proceedings. 

Our Peter Oakes is often asked to write more about useful money laundering cases that can be used by MLROs (Money Laundering Reporting Officers) as typologies for AML training.  This typology on Ireland's money laundering website, www.moneylaundering.ie, pulls together:

* ransomware-as-service;
* predicate criminal offence;
* a Ukranian national living in Cork;
* identification of proceeds of crime in bitcoin recorded on the supposedly anonymous promoting blockchain;
* Irish High Court extradition proceedings;
* alleged abuse of human rights; and
* evidence from Google Analytics and Google Drive.

So we am pretty sure it ticks all the "right boxes".

The case when examined from multiple sources (like Money Laundering Ireland has done) provides interesting insights into the Irish extradition regime, identification of supposedly anonymous bitcoin transactions recorded on the blockchain and evidenced obtained from Google Analytics.

​On Friday 12 June 2026 Oleksii Oleksiyovych Lytvynenko (44), a Ukrainian national who was extradited from Ireland to the U.S., pleaded guilty in the US to conspiracy to commit wire fraud for his involvement in the Conti ransomware operation.

​Back in 2025, the High Court of Ireland made an order committing Lytvynenko to prison to await his extradition to stand trial for his part in the ransomware conspiracy.

​

Lytvynenko, based in Cork, Ireland, worked with others in the Conti ransomware group to hack victims’ networks, encrypt files, and demand ransom payments in exchange for restoring access and not leaking stolen data.

Mr Justice David Keane (High Court of Ireland) determined that the U.S. DoJ application met all of the proofs prescribed by s.29 of the Extradition Act 1965 (as amended) and that the Lytvynenko’s objections based upon violations of his rights and abuse of process did not warrant the refusal of the order sought.

​Before the High Court evidence from Google analytics data on Lytvynenko’s account showed that he had searched for methods of thwarting Windows authentication and had watched YouTube videos on malware, hacking, Windows administration, building a remote access tool and penetration testing. The High Court also heard that cryptocurrency tracing performed by the FBI on the publicly available blockchain had also indicated that the Lytvynenko received payments in Bitcoin from Conti conspirators during approximately the same period as the attacks on six of the victims whose data was found in the respondent’s Google Drive.

The conspiracy was alleged to have resulted in the payment of a combined ransom of approximately $634,000 in cryptocurrency.

The Irish High Court had to consider both s.10(1) and s.10(1A) of the Extradition Act 1965, noting that extradition can be granted only in respect of an offence punishable both under the laws of the requesting country and of the State. The court was ultimately satisfied on the evidence that the requirements of correspondence and minimum gravity had been met and that the extradition of the respondent was not prohibited by Part II of the 1965 Act or by the relevant extradition provisions.

Next the court had to consider that the “making of an extradition arrangement presupposes that the Government and the Oireachtas are satisfied, amongst other things, that a person being extradited to another State with which Ireland has such an arrangement will not have his constitutional (or ECHR) rights impaired”. Mr Justice Keane considered the Lytvynenko’s objections in turn but was not satisfied that they warranted refusal of the order sought where they did not meet the required thresholds and/or where there was an insufficient evidential basis to support them.

The High Court back in 2025 made an order pursuant to s.29 of the 1965 Act committing the Lytvynenko’ to prison to await the making of an order for his extradition. The Irish judgement is The Attorney General v Oleksi Oleksiyovych Lytvynenko [2025] IEHC 100. See citations at end of this post.

Once he was extradited, more fun began.

In the US it was argued that between 2020 and 2022, Conti attacks hit systems across 47 U.S. states, 31 countries, the District of Columbia, and Puerto Rico. The FBI estimates that at least $150 million in ransom payments were made by January 2022.

Lytvynenko admitted to joining the group around September 2021. He acknowledged holding stolen data from multiple victims in the U.S. and abroad. He also worked on developing malware components, including a “loader” used to deliver other malicious tools during attacks.

“He admitted to possessing data from eight U.S. and four overseas victims which had been stolen by Conti conspirators. Lytvynenko further admitted to joining a team run by a Conti conspirator during which time Lytvynenko was directed to work on coding a “loader,” which is typically a type of malware, or malicious software, that is used to load programs necessary to execute other malicious attacks.” reads the press release published by DoJ.

Lytvynenko pleaded guilty on Friday 12 June 2026 to conspiracy to commit wire fraud for his role in the Conti ransomware operation. 

He is scheduled to be sentenced on September 10, 2026, and faces up to 20 years in prison. The final sentence will be determined by a federal judge after considering U.S. sentencing guidelines and other statutory factors.

In September 2023, four other Conti conspirators were indicted in Tennessee. The FBI and U.S. Secret Service are investigating, with DOJ prosecutors handling the case.

“Lytvynenko’s guilty plea is a significant step toward holding cyber criminals accountable for the damage they inflict on victims worldwide,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division. “Lytvynenko profited from fear and coercion, conspiring to use Conti ransomware to extort victims and steal their data. This case demonstrates that the FBI and our partners will relentlessly pursue those responsible for cybercrimes, regardless of where they operate, and bring them to justice.”  See citations at end of this post.

The FBI informs that Conti emerged from the Ryuk gang and was closely linked to the TrickBot malware operation. The group became known for attacks on healthcare organizations, governments, and businesses before shutting down operations in 2022 after internal chats were leaked and law enforcement pressure increased.

Sources:

• The Attorney General v Oleksi Oleksiyovych Lytvynenko [2025] IEHC 100. See https://www.irishlegal.com/articles/high-court-man-committed-to-prison-pending-his-extradition-to-usa-to-stand-trial-for-ransomware-conspiracy-charges / https://www.iisf.ie/Oleksii-Lytvynenko-extradited-conti  /https://ie.vlex.com/vid/the-attorney-general-v-1094149608
• US Case.  https://www.justice.gov/opa/pr/ukrainian-national-pleads-guilty-wire-fraud-conspiracy-connection-conti-ransomware / https://securityaffairs.com/193590/uncategorized/ukrainian-extradited-from-ireland-pleads-guilty-over-role-in-conti-ransomware-scheme.html