Karen Serobovich Vardanyan pleaded guilty in the U.S. District Court for the District of Oregon to conspiracy to commit fraud and extortion and computer fraud under the Computer Fraud and Abuse Act, admitting his role in a Ryuk ransomware campaign that netted roughly 1,160 bitcoins, worth more than $15 million at the time, from victim companies. The 34-year-old Armenian national faces up to 15 years in federal prison and has agreed to pay nearly $1.2 million in restitution as part of a plea agreement filed with the court.

Prosecutors say Vardanyan and three co-conspirators, Ukrainian nationals Oleg Lyulyava and Andrii Prykhodchenko and Armenian national Levon Avetisyan, deployed Ryuk on hundreds of compromised servers between March 2019 and September 2020. Named victims include a Michigan company that paid nearly $1.2 million in January 2020, an Oregon-based technology company hit that December, and a Texas school breached in February 2020.

That timeline puts Vardanyan in Ryuk’s original wave, the same strain that hit Hollywood Presbyterian Medical Center and Universal Health Services and helped trigger a joint FBI-CISA warning to U.S. hospitals about ransomware in October 2020. Vardanyan’s plea closes out just one branch of a four-person case that’s still very much open.

Vardanyan’s plea also carries automatic immigration consequences: deportation once he’s served his time. The District of Oregon has not yet scheduled his sentencing.

James Okafor