LockBit leader unmasked

Named as Russian national Dmitry Khoroshev

LockBit leader unmasked

A joint operation by law enforcement agencies in the UK, USA and Australia has unmasked and sanctioned the leader of the infamous LockBit ransomware gang.

Dmitry Khoroshev, who previously operated under the online alias LockBitSupp, faces asset freezes and travel bans after authorities exposed his role leading the ransomware group responsible for extorting over $1 billion from victims worldwide.

Khoroshev was so confident in his anonymity that he had offered a $10 million reward to anyone who could identify him.

The announcement comes just months after a coordinated effort by the UK's National Crime Agency (NCA), USA's Department of Justice (DoJ), FBI and Europol disrupted LockBit's operations in February.

As part of Operation Cronos, law enforcement hijacked the group's dark web marketplace, and used it to leak internal LockBit information.

LockBit specialised in deploying ransomware, holding victims' data hostage until demands were met. The group, along with its network of affiliated criminals, targeted major organisations around the globe, demanding cryptocurrency payments to unlock stolen data.

Data recovered from LockBit's systems revealed over 7,000 cyber attacks carried out between June 2022 and February 2024, targeting victims across the world. The healthcare sector was a particular focus, with over 100 hospitals and healthcare providers compromised.

While LockBit has attempted to rebuild its infrastructure since February, the NCA believes its capacity is significantly diminished. The number of attacks using LockBit tools has plummeted by 73% in the UK alone, with similar drops reported elsewhere. These attacks also appear to be the work of less skilled affiliates, resulting in a smaller impact.

The NCA says it has identified 194 affiliates who used LockBit's services, with over half initiating negotiations with victims.

Nearly 60% of these affiliates, despite paying to join and potentially causing significant damage, never received any ransom payments.

The NCA also found numerous instances where the decryption keys LockBit provided for ransoms paid were faulty, leaving victims without recourse.

Thankfully, international cooperation has yielded over 2,500 working decryption keys, and the NCA is contacting victims worldwide to offer assistance.

Khoroshev unmasked

International authorities repurposed LockBit's own dark web platform to expose Khoroshev themselves. A wanted poster displayed on the hijacked site now offers a $10 million reward for information leading to Khoroshev's arrest.

Furthermore, a 26-count US indictment unsealed on Tuesday alleges that Khoroshev personally profited from LockBit's criminal activity to the tune of at least $100 million in Bitcoin payments.

"These sanctions are hugely significant and show that there is no hiding place for cyber criminals like Dmitry Khoroshev, who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong," NCA Director General Graeme Biggar noted.

UK security minister Tom Tugendhat said: "Cyber criminals think they are untouchable, hiding behind anonymous accounts as they try to extort money from their victims.

"By exposing one of the leaders of LockBit, we are sending a clear message to these callous criminals. You cannot hide. You will face justice."

In February, the US Department of Justice unsealed indictments against two alleged members of the LockBit group, Russian nationals Artur Sungatov and Ivan Kondratiev, aka Bassterlord.

The indictments accused them of deploying the LockBit ransomware against victims in multiple US states and Puerto Rico, as well as globally in sectors such as manufacturing, logistics and insurance.