Armenian National Extradited From Ukraine Pleads Guilty in $15M Ryuk Ransomware Case

Daily Feed
Armenian National Extradited From Ukraine Pleads Guilty in $15M Ryuk Ransomware Case

Armenian National Extradited From Ukraine Pleads Guilty in $15 Million Ryuk Ransomware Case

An Armenian national extradited from Ukraine has pleaded guilty in U.S. federal court to helping carry out Ryuk ransomware attacks that targeted American businesses and a school, with the scheme pulling in more than 1, 610 bitcoin in ransom payments.

  • Defendant: Karen Serobovich Vardanyan, 34
  • Charges: conspiracy and computer fraud
  • Extradited: from Ukraine to the United States
  • Total ransom payments: about 1, 610 bitcoin, worth over $15 million at the time
  • Victims named: a Michigan company, a company in Wilsonville, Oregon, and a Texas school

According to the U.S. Department of Justice, Karen Serobovich Vardanyan pleaded guilty in federal court in Oregon after being extradited from Ukraine. Prosecutors say he took part in a Ryuk ransomware operation that ran between November 2019 and April 2020 and hit multiple U.S. victims, including a company in Michigan that paid 200 bitcoin, more than $1.1 million at the time of payment, to regain access to its network.

Ryuk was one of the more notorious ransomware strains of that period. Ransomware is malware that encrypts a victim’s files or systems and then demands payment for a decryption key. In plain English, attackers lock up a company’s digital infrastructure and then hold it hostage until someone pays up. A lovely business model if your main skill is extortion and your career goal is avoiding sunlight.

The DOJ says the operation also targeted a company in Wilsonville, Oregon, and in February 2020 attacked a school in Texas. Prosecutors further allege that Vardanyan and his co-conspirators deployed ransomware on hundreds of compromised servers and workstations, meaning the attackers first gained unauthorized access and then used that foothold to spread the malware and encrypt systems.

That matters because ransomware is usually not a smash-and-grab. It is methodical. Attackers probe networks, steal credentials, move laterally, and wait for the best moment to hit. The goal is not just disruption, but maximum leverage. The payoff comes from panic.

The DOJ says Vardanyan and his co-conspirators received approximately 1, 610 bitcoin in ransom payments, valued at more than $15 million at the time those payments were made. That figure is a reminder of why ransomware remains such a stubborn problem: it still works often enough to keep criminals in business, and often enough to keep victims under pressure to pay.

Bitcoin’s role in these cases is straightforward. It is useful for cross-border payments, which is exactly why it shows up again and again in ransomware schemes. But bitcoin is not some magical invisibility cloak. It is pseudonymous, not anonymous, and investigators can often trace funds through blockchain data, exchange compliance records, and basic operational mistakes.

So no, this does not mean “crypto is crime.” That lazy line is for people who like slogans more than facts. What it does show is that open financial rails can be used by both honest actors and thieves, and the thieves tend to arrive first when defenders are asleep at the wheel.

The extradition angle is also important. Cross-border cybercrime cases only move when law enforcement cooperation is real, and this one involved Ukraine handing over a suspect to face U.S. charges. That is not a small detail. It signals that the old fantasy of launching ransomware from abroad and staying untouchable is getting harder to believe, even if it is not dead yet.

The DOJ said the grand jury indictment was returned on Feb. 22, 2024. Vardanyan’s guilty plea resolves the question of guilt without a trial, but sentencing is still ahead. The department says sentencing is scheduled for Sept. 22, 2026, and prosecutors say he faces statutory maximum penalties that include five years for conspiracy and 10 years for computer fraud, along with restitution.

For businesses and schools, the lesson is brutally familiar: ransomware thrives where backups are weak, systems are poorly segmented, and security updates are treated like optional homework. Segmentation means keeping important systems isolated so an intruder cannot move freely across the network. Offline backups matter because if the backups are connected, attackers can encrypt those too. Paying the ransom is often a desperate last resort, not a strategy.

There is a deeper point here too. Bitcoin is not the villain, and neither is the network. The villain is the extortion ring using it to squeeze schools and companies for millions. At the same time, pretending bitcoin has no crime use at all is just denial with a maximalist hat on. Both things can be true: the rail is neutral, and bad actors exploit it whenever they can.

Key questions and takeaways

  • Who pleaded guilty?
    Karen Serobovich Vardanyan, a 34-year-old Armenian national, pleaded guilty in federal court in Oregon.
  • Why does Ukraine matter here?
    Vardanyan was extradited from Ukraine, showing that international cooperation can reach ransomware suspects who operate outside the United States.
  • What did the Ryuk attacks involve?
    Prosecutors say the attackers encrypted victim systems, demanded bitcoin for decryption keys, and deployed ransomware on hundreds of compromised servers and workstations.
  • How much bitcoin was involved?
    The DOJ says one Michigan company paid 200 bitcoin, and the co-conspirators received about 1, 610 bitcoin total, worth over $15 million at the time.
  • Which victims were named?
    Prosecutors cited a company in Michigan, a company in Wilsonville, Oregon, and a school in Texas that was attacked in February 2020.
  • What happens next?
    The guilty plea resolves the liability question, but sentencing is still pending, with a hearing scheduled for Sept. 22, 2026.

Ransomware is not going away because the economics are still rotten in the attackers’ favor. But extraditions, guilty pleas, and international cooperation do matter. Each one chips away at the old assumption that cyber extortion is a clean escape hatch. For the criminals, that assumption is becoming less reliable by the month.

Further reading

Related cases and background on ransomware, extradition, and bitcoin-linked criminal proceedings.

Share this article

Powered by ADBYTES

Advertise smarter.

Adbytes.Media is a transparent advertising network where advertisers reach real audiences and publishers, affiliates & everyday members earn ADBYTES tokens. Join the community and start earning today.

Back to Blog