Cybercrime

Ryuk Ransomware Operator Pleads Guilty in $15M Bitcoin Extortion

Karen Serobovich Vardanyan pleaded guilty on July 8 to conspiracy and computer fraud for his role in a Ryuk ransomware campaign that collected 1,610 bitcoin.

LUMIEN4 min read
Ryuk Ransomware Operator Pleads Guilty in $15M Bitcoin Extortion

Karen Serobovich Vardanyan, a 34-year-old Armenian national extradited from Ukraine, pleaded guilty on July 8 to conspiracy and computer fraud for his role in a Ryuk ransomware campaign that extorted more than $15 million in bitcoin from US businesses between November 2019 and April 2020. The operation collected roughly 1,610 bitcoin across multiple victims, including a Michigan company, an Oregon technology firm, and a Texas school. Sentencing is set for review on September 22, 2026 in Portland.

What happened

Detail Fact
Defendant Karen Serobovich Vardanyan, age 34, Armenian national
Guilty plea date July 8, 2026
Charges Conspiracy (max 5 years) and computer fraud (max 10 years)
Campaign period November 2019 to April 2020
Total bitcoin collected ~1,610 BTC, worth over $15 million at time of payments
Michigan victim payment 200 BTC, worth over $1.1 million at the time
Restitution agreed More than $1.1 million
Sentencing review September 22, 2026, US District Court, Portland

Federal prosecutors in the District of Oregon announced on July 9 that Vardanyan admitted to helping operate a Ryuk ransomware campaign. Ryuk is a type of malware that encrypts a victim’s files and holds them locked until a ransom is paid. Vardanyan and his co-conspirators broke into corporate networks, deployed Ryuk across hundreds of workstations and servers, and left ransom notes directing victims to a bitcoin wallet and an email address for negotiation.

Once a victim paid into the wallet, which the group controlled, the attackers released decryption keys to restore access. The DOJ’s July 9 press release quoted the ransom notes as demanding “payments in Bitcoin, a form of cryptocurrency” alongside a contact email address.

Who was targeted?

Prosecutors confirmed three named victim categories: a Michigan company that paid 200 bitcoin to recover its network, a technology company based in Wilsonville, Oregon, and a Texas school hit in February 2020. A full victim list has not been released, and prosecutors have not published a wallet breakdown showing which payments came from which attack.

A federal grand jury in Portland had added a third count of extortion in February 2024. That charge was not resolved by the July 8 plea and remains open.

How was he caught?

The FBI led the investigation. Vardanyan was arrested abroad and extradited from Ukraine, with the Justice Department’s Office of International Affairs coordinating the process. US Attorney Scott E. Bradford and Assistant US Attorney Katherine A. Rykken are handling the prosecution, and the US Attorney’s Office credited Ukrainian authorities for their cooperation.

Why it matters

Ryuk was among the most destructive ransomware families of the 2019-2021 period, routinely targeting hospitals, schools, and mid-size businesses that lacked mature security defenses. A five-month campaign collecting 1,610 bitcoin illustrates how quickly the economics compound when attackers hit dozens of targets in sequence.

The extradition from Ukraine is also notable. US-Ukraine law enforcement cooperation on cybercrime cases has been complicated by geopolitics, so a successful extradition and guilty plea signals that coordination channel still works in some cases.

For businesses, the case is a reminder that ransomware operators do eventually face consequences, but the recovery costs fall on victims first. The Michigan firm alone paid what was then over $1.1 million in bitcoin, and there is no guarantee that paying leads to full data recovery.

Our take

A guilty plea is a clean outcome, but the restitution figure (over $1.1 million) does not come close to the $15 million collected. Most of that money is almost certainly long gone, moved through mixing services or exchanged before the arrest. Victims are unlikely to see full recovery regardless of the sentence handed down in September.

The more useful lesson here is operational: Ryuk relied on getting into corporate networks first, then deploying ransomware laterally across hundreds of machines. That lateral movement is the window businesses can close. Network segmentation, endpoint detection, and tested offline backups would have limited the blast radius even if an initial intrusion succeeded.

If your business runs any kind of automated workflow or integration layer, those systems are often connected to more internal infrastructure than people realise. We cover relevant AI integration practices that include security considerations, and we have written about other cybercrime operations in our AI and tech news coverage. Prevention is still far cheaper than the ransom.

What to do about it

  1. Audit which internal systems your automation and integration tools can reach, and remove any access that is not strictly necessary.
  2. Segment your network so that a compromised workstation cannot reach your servers or backup systems directly.
  3. Keep at least one backup copy completely offline and test restoration quarterly, not just the backup process itself.
  4. Deploy endpoint detection on all servers and workstations, not just employee laptops.
  5. Establish a documented incident response plan before you need it, including who contacts law enforcement and when.

Ransomware groups rely on preparation gaps. Close the gaps before the ransom note appears.

Source: Bing News · Telegram bots

Frequently asked questions

Who is Karen Serobovich Vardanyan?

He is a 34-year-old Armenian national extradited from Ukraine who pleaded guilty on July 8 to conspiracy and computer fraud for operating Ryuk ransomware attacks against US businesses.

How much did the Ryuk ransomware campaign collect?

Prosecutors say the campaign collected roughly 1,610 bitcoin, worth more than $15 million at the time the payments were made between November 2019 and April 2020.

What sentence does Vardanyan face for the Ryuk ransomware charges?

He faces a maximum of five years for conspiracy and ten years for computer fraud, for a combined maximum of 15 years. He also agreed to pay more than $1.1 million in restitution. Sentencing review is set for September 22, 2026.

What is Ryuk ransomware and how does it work?

Ryuk is malware that encrypts a victim's files and locks them out of their systems until a ransom is paid in bitcoin. Attackers break into corporate networks, deploy Ryuk across workstations and servers, and leave ransom notes with a bitcoin wallet address and contact email.

More from AI