Conti loader developer Oleksii Lytvynenko pleads guilty in US federal court after extradition from Ireland

Two enforcement wins with a Swiss touchpoint. Ukrainian national Oleksii Lytvynenko pleaded guilty on 12 June in US federal court (Middle District of Tennessee) to conspiracy to commit wire fraud for his role developing loaders for the Conti ransomware operation, after extradition from Ireland (DOJ via GlobalSecurity; daily 06-14). Separately, a US-Secret-Service-led operation with Europol, Eurojust and ten countries — Switzerland among the participants — dismantled the AudiA6 cryptocurrency money-laundering service and charged two individuals (US Secret Service; daily 06-12). The cumulative signal: the affiliate-and-launderer layer of the ransomware economy continues to be peeled back through international cooperation, with Swiss authorities now routinely in the coalition.

Oleksii Oleksiyovych Lytvynenko, a 44-year-old Ukrainian national, pleaded guilty on 12 June in the Middle District of Tennessee to conspiracy to commit wire fraud for his role in the Conti ransomware operation, which he joined around September 2021 to develop a malware loader component (CyberScoop, 2026-06-12). He admitted to possessing data stolen from eight US and four overseas victims; Conti attacked more than 1,000 organisations across 31 countries and extorted at least $150 million before disbanding in 2022 (BleepingComputer, 2026-06-12). Lytvynenko was arrested in Cork, Ireland in July 2023 and extradited to the US in October 2025; he faces up to 20 years, with sentencing scheduled for 10 September. Four other alleged Conti members were indicted in 2023.

Why it matters to us: The case is a concrete demonstration that the EU-member-state → US extradition channel works against ransomware-lineage defendants who seek refuge in Europe — a deterrence data point for IR and legal teams weighing the realistic odds of prosecution. Conti's successor clusters (Black Basta, Quantum/Royal/BlackSuit, Zeon) remain active, so the plea closes a personnel chapter, not the threat.

The Gentlemen RaaS listed two new European victims — the University of Finance and Administration (Czech Republic) and a Swiss engineering firm — on its leak site (daily 2026-05-20). The operator's previously-announced communications-infrastructure overhaul (rather than shutdown) means continued activity; the Swiss-victim listing is the direct CH-nexus signal this week. Watch for sample-data publication confirming the listings versus opportunistic re-listing.

Following the 2026-05-04 Rocket backend DB leak (attributed to a breach of hosting provider 4VPS), administrator zeta88 / hastalamuerte announced a full communications-infrastructure overhaul — new NAS deployment and new locker upgrades — signalling no intent to cease operations. The operation maintained ~332 victims in H1 2026, ranking second in global RaaS activity per Check Point Research. Check Point documented initial access via CVE-2024-55591 (FortiOS management interface auth bypass, ITW since November 2024) and CVE-2025-32433 (Erlang SSH in Cisco context); post-access chain includes RelayKing-based NTLM relay (CVE-2025-33073), AD enumeration, EDR disablement, and GPO-deployed locker (Check Point Research; Check Point blog; daily 2026-05-14 UPDATE).

Bedrock Safeguard (Canadian security firm) published a working decryptor on 2026-05-14 exploiting Go's failure to zero XChaCha20 / X25519 ephemeral private-key material from goroutine stacks post-use; 35/35 files decrypted in testing. The operator claims to have patched the binary, so the decryptor capability is best-case retrospective; affiliates show no evidence of forking, and the core nine-person structure remains intact per leaked chats (Bedrock Safeguard decryptor). Defender takeaway: for any Gentlemen-impacted Go-binary host, attempt process-memory dump capture for ephemeral key recovery before reimaging; verify FortiOS patch state on CVE-2024-55591 across every Swiss / EU public-sector Fortinet deployment (the FortiOS bug is the documented initial-access primary, and the W19 long-running record already lists this CVE).

Current state: GTIG's Europe data-leak landscape (§ 6) documented Qilin tripling Q3 2025 operational tempo in Germany; Die Linke (Germany federal political party) confirmed Qilin encryption with 1.5 TB exfiltrated (covered 2026-05-08), state DPA notified — Qilin German activity continues into 2026-Q2. No public-claim shift or victim-list expansion beyond Die Linke this week. Outstanding question: whether Qilin's targeting of political and civil-society organisations expands into other 2026 EU election cycles.