Earlier this week, the US government announced that it had identified and sanctioned the Lockbit Ransomware Group leader, Dmitry Yuryevich Khoroshev, a 31-year-old Russian national.
The lopped-off head of the hydra has been identified and sanctioned by the US Office of Foreign Assets Control and a reward is offered for his successful arrest, prosecution, conviction, and sentencing.
In the statement published in the official press release, Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said, “Today’s action reaffirms our commitment to dismantling the ransomware ecosystem and exposing those who seek to conduct these attacks against the United States, our critical infrastructure, and our citizens.”
Above: Screengrab from Crystal Expert, depicting the flow of funds to and from the sanctioned wallet
At Crystal, we have noticed that the address sanctioned was last active in 2021. We were able to determine its direct exposure to major European facing exchanges.
Meanwhile, two arrests have been made, and 34 illicit servers were taken down in the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK. Authorities from 10 countries participated in Operation Cronos, which undertook to take down LockBit and its principal administrator and operator, Khoroshev, who traveled under the moniker of LockBitSupp.
LockBit’s operations included over 7,000 ransomware attacks on business entities in the US, UK, France, Germany, China, and others, which took place between June 2022 and February 2024.
During those dark four years, LockBit mounted attacks on Subway, Boeing, PayBito, and Bangkok Airways, and others. The crime group most infamously targeted 100-plus hospitals and healthcare organizations during that time, attacks which caused well over 2,000 victims to find terms with their hijackers.
The UK’s National Crime Agency (NCA) first infiltrated and disrupted LockBit in February 2024, by which time some 194 affiliates exploiting its ransomware-as-a-service (RaaS) business offering engaged in 148 attacks, of which 119 engaged in negotiations with victims, and about eighty took ransom payments. The NCA and its international partners claim to now have more than 2,500 decryption keys in their possession to support their redress efforts for LockBit’s many victims. In the UK alone, the NCA has contacted almost 240 victims.
The Australian Cyber Security Centre (ACSC), which was pivotal in the LockBit takedown, also enjoyed a special milestone: This was just its second imposed cybercrime sanction, following the first in January of 2024.
