The sheriff's department paid in Bitcoin. The coder lived in Cork.

Marlene was on the headset when the screen turned black.

Fifty-eight years old, twenty-two years in the chair. She knew every deputy by voice before they finished saying their unit number. She was working a domestic in progress when the county seal on her monitor blinked out and a paragraph of white text took its place. The text said her files were encrypted. The text said she had a deadline. The text gave her a wallet address and a number to make it stop.

The caller on the line was still talking. The dispatch software was not.

Marlene reached for the paper map in the bottom drawer. She had not opened that drawer in three years. The map was folded the way her predecessor had folded it. She held the headset against her shoulder, asked the woman on the line to repeat the address, and traced the road with her finger like it was 1994.

That was the night a man in Cork, Ireland reached into a sheriff's department in Tennessee.

She did not know his name yet. Nobody in the dispatch room did. The name would come almost five years later, in a federal courthouse in Nashville, on a Friday in June.

I.

The man's name is Oleksii Oleksiyovych Lytvynenko. He is forty-four. He is Ukrainian. He had been living in a flat in Cork, Ireland, a port city on the south coast where you can hear gulls from most kitchen windows.

He pleaded guilty on June 12, 2026, in the Middle District of Tennessee, to conspiracy to commit wire fraud. According to the plea record, he joined a ransomware operation called Conti no later than September 2021. His job, prosecutors said, was to work on the code of a piece of software called a loader.

A loader is the small thing. It is not the ransom note. It is not the encryption. A loader is the part of the code that gets in first and opens the door for everything that comes after. Think of it as the man who picks the lock so the rest of the crew can carry the furniture out.

Lytvynenko worked on the lock. Other people walked through the door. The plea record says he also held onto data stolen from eight victims in the United States and four overseas, the way a fence holds stolen goods until it is time to use them.

He faces up to twenty years. Sentencing is set for September 10, 2026.

That is the public part. The part that happened in a flat in Cork is harder to see. He was arrested there in July 2023. He fought extradition for over two years. He landed in U.S. custody in October 2025. By June he was in front of a judge saying yes.

II.

The operation he joined was not a gang. It was a company.

Conti ran from December 2019 until May 2022 as what the industry calls ransomware-as-a-service. That is a phrase that hides what the thing actually was. Conti built the malware. Conti rented it out to affiliates. Affiliates broke into hospitals, school districts, oil pipelines, sheriff's departments. When the ransom came in, Conti took a cut. Some affiliates were paid fixed wages. There were HR problems. There were performance reviews. There were complaints about the boss.

We know this because in May 2022, after Conti's leadership publicly pledged support for the Russian government following the invasion of Ukraine, someone inside the operation leaked the internal chats. Thousands of messages. Years of them. The kind of paper trail a normal business would shred.

By that point Conti had already taken at least $150 million in ransom payments, according to the Department of Justice's figures. Some analysts put 2021 alone at over $180 million. The Conti loader, in some form, infected more than a thousand computers and networks across 47 U.S. states, 31 foreign countries, the District of Columbia, and Puerto Rico.

Read that sentence again. Forty-seven states. That is not a hacking group. That is a distribution network.

Conti's victims included the government of Costa Rica, which declared a national emergency. A backup storage company called ExaGrid that paid $2.6 million. A hospital system that the company itself disclosed had cost roughly €67 million ($75M USD) to recover from.

And a small county in Tennessee.

III.

The Tennessee piece is what put Lytvynenko in a Nashville courtroom and not somewhere else.

Prosecutors said in the plea record that Lytvynenko and his co-conspirators extorted approximately $634,000 in Bitcoin from two Tennessee victims. One of those victims was a government entity. The attack compromised, in the words of the filing, a sheriff's department, local emergency medical services, and a local police department.

That is the cluster Marlene was sitting in.

A second Tennessee victim, according to prosecutors, refused to pay. The demand was $3 million. Conti leaked the data anyway. That is the double extortion model. You pay to get your files back. You also pay to keep your files from being posted publicly. If you refuse the second part, the data goes up.

The $634,000 was paid. Public money, moved in Bitcoin, into a wallet operated by people the county could not see and could not name. From that wallet, on-chain analytics suggest, the money went through mixers and into the Conti treasury, where it joined the rest of the $150 million.

A dispatcher in a small county does not know what a mixer is. She knows the screen went black and the paper map came out of the drawer.

IV.

Marlene worked the rest of that shift on paper.

She wrote down call after call in a notebook. Times. Addresses. Unit numbers. She had to call deputies on their personal cell phones because the radio dispatch tied into the same system that was now showing the ransom note. When her shift ended she did not go home right away. She sat in her car in the parking lot of the sheriff's department for forty minutes. Then she drove home and did not tell her husband what had happened, because she had been told not to.

Her county paid.

She did not learn that for months. She learned it the way most people in those counties learn it, in pieces, from a local reporter, from a sheriff's deputy who shouldn't have said anything, from a line in a budget document at a commission meeting.

The county had paid criminals to get its dispatch system back. The criminals had kept their word. The system came back. The paper map went back in the drawer.

That part may be the part nobody knows what to do with.

V.

The machine that locked the county was not one man.

It was a loader written by one person, deployed by another, sold by a third, supervised by a fourth, laundered by a fifth, and protected by a state that found it useful. When Conti collapsed in May 2022, the people inside did not stop working. They reorganized. The DOJ and private analysts have traced former Conti members into new groups called Zeon, Black Basta, Quantum. Quantum rebranded to Royal. Royal rebranded to BlackSuit. Same skeleton. New wallpaper.

This is the part that should keep a county commissioner up at night. The man in Cork is in custody. His loader is not. His code is in the bloodstream of three or four ransomware groups operating right now. Sentencing him to twenty years takes one coder off the bench. It does not take the loader off the board.

That is why the DOJ keeps showing up at these press conferences and saying the same sentences. A. Tysen Duva of the Criminal Division said Lytvynenko and his co-conspirators "used the Conti ransomware to terrorize people and businesses... causing millions of dollars in damage." Brett Leatherman at FBI Cyber called the plea "a significant step toward holding cyber criminals accountable." Braden H. Boucek, the U.S. Attorney in Nashville, said targeting groups like Conti is a "highest priority." Those are not victory laps. Those are progress reports on a fight that does not end.

VI.

Marlene is still working dispatch.

She does not trust the screen the way she used to. When she logs in at the start of her shift she watches the seal load and waits for it to fully draw before she puts the headset on. She keeps the paper map in the top drawer now, not the bottom. She knows where her predecessor's predecessor wrote the radio frequencies in pencil on the inside cover. She has shown two younger dispatchers how to fold the map.

She does not know the name Oleksii Lytvynenko. She does not need to. The county paid $634,000 it did not have to pay because a piece of code written in a kitchen in Cork found its way into a server in a town she has lived in her whole life.

That is the part the trail shows you, if you follow it.

The money went somewhere. It did not evaporate. It moved from a county wallet through a mixer into a treasury that, by the time it was done, had taken in at least $150 million from people who needed their files back. Some of those people were hospitals. Some were schools. One was a sheriff's department in a county that still uses a paper map at 3 a.m., because once you have seen the screen go black, you do not put the map back where you cannot reach it.

The loader did its job. So did the dispatcher.

One of them is going to be sentenced in September. The other one is back on shift tonight.