What happened
According to pretrial investigation materials, on the night of November 12, 2025, UAH 127.1 million (UAH 78.4 million and UAH 48.7 million respectively) were withdrawn from the accounts of two companies belonging to businessman Zinoviy Kozytskyi — LLC "ZakhidNadraService" and LLC "Enerhopark Yavoriv". On February 23, 2026, a 21-year-old resident of Khmelnytskyi was notified in absentia of suspicion in a number of criminal offenses, including theft, unauthorized interference with electronic networks, and money laundering, the Office of the Prosecutor General reports.
How, according to the investigation, it happened
The scheme described in the suspicion began with a small "false" payment two days before the main outflow of funds. When the accountant of one of the LLCs contacted the sender, she was allegedly sent a return-instructions archive named "Documents.zip" — protected with a password. Inside the archive was a malicious file; the employee was persuaded to run it supposedly to obtain the password. After that, the perpetrators gained remote access to the internal networks and service equipment of both companies and withdrew the money through the client-bank.
"He was notified in absentia of suspicion under three articles of the Criminal Code: theft (Part 5 of Art. 185), unauthorized interference with the operation of electronic networks (Part 5 of Art. 361) and money laundering (Part 3 of Art. 209)"
— Office of the Prosecutor General of Ukraine
Where the money went
The investigation records a typical "smurfing" scenario: instant splitting of sums through dozens of accounts of legal entities, sole proprietors and card drops, with some transactions routed through crypto exchanges. According to case materials, the suspect managed to legalize more than UAH 104 million. He also bought two cars from a dealer — a Cadillac ATS and a BMW 320 — a typical marker of rapid legalization of illicit proceeds.
Context: this is not an isolated event
The investigation is being conducted by the Lviv Region Police (case No. 12025141360001860). The case overlaps with other cybersecurity incidents in February 2026: on the night of February 15–16 A-Bank was attacked (some clients recorded unauthorized debits), and on February 19 there were reports of an attack on the National Bank's online store. Together these cases indicate increased activity by groups operating via social engineering and rapid dispersion of funds.
What it means for business and the state
This story should be read not only as a criminal precedent but as a warning: even large companies with resources lose millions to simple human triggers — fake invoices and archives. For companies this means strengthening payment verification procedures, implementing multi-factor authentication for corporate online banking and conducting training for finance personnel. For banks and regulators — accelerating the introduction of rules that make rapid withdrawal and "splitting" of large sums more difficult.
Conclusion
According to the investigation, this case combined classic social engineering with a rapid laundering scheme through the financial infrastructure. It is a lesson for everyone — from an accountant in a small firm to bank management: technical measures are important, but the decisive factor remains the human element and the speed of fraud-prevention systems' response. Whether businesses and the state will turn the recent incidents into real protection protocols is the question that will determine how many more times such cases will repeat.
