Israeli court to hear U.S. extradition request for alleged LockBit developer
An Israeli Court is set to deliberate a significant extradition case involving Rostislav Panev, an Israeli citizen alleged to be involved with the notorious LockBit ransomware gang.
According to Israeli news outlet Ynet, a U.S. extradition request was made public Thursday claiming that between 2019 and 2024, Panev served as a software developer for LockBit. During this period, LockBit is alleged to have executed cyberattacks impacting roughly 2,500 victims globally, including U.S. governmental and health care organizations.
The U.S. Department of Justice places LockBit among the most detrimental ransomware groups in operation, responsible for financial losses exceeding $500 million. Moreover, the group purportedly harbored connections with Evil Corp., an erstwhile Russian-based cybercrime syndicate sanctioned by the U.S. government in 2019 for its role in distributing malware and enabling a range of cybercriminal activity.
Documents disclosed in conjunction with the extradition request reveal that Panev was arrested at his Israeli home in August. He is suspected of developing software that placed ransom notes on compromised systems. For his work, he has allegedly made $230,000, largely via cryptocurrency. Law enforcement agencies discovered digital wallets tied to these payments, along with ransom templates, during searches at Panev’s residence.
Panev’s lawyer, Sharon Nahari, told Ynet that Panev was neither aware of nor complicit in the alleged schemes.
The extradition proceedings were instigated by the State Attorney’s Office after Israel’s Minister of Justice signed off on a formal request from the U.S. According to YNet, the U.S. kept the extradition order sealed, fearing that it might tip off other LockBit affiliates, potentially allowing them to escape to Russia.
International law enforcement has been aggressively pursuing those behind LockBit, starting in February with the public unveiling of “Operation Cronos,” the name of the organized international effort led by the U.K.’s National Crime Agency. British authorities seized the website used by LockBit to post targets and share data from targeted entities that refused to pay ransom and used it as the platform to disseminate news about the operation and information about the nearly 200 affiliates working with LockBit at the time, part of both a traditional law enforcement disruption as well as a psychological operation designed to undermine LockBit’s support in the cybercrime community.
In October, law enforcement agencies announced additional arrests, seizures and sanctions targeting LockBit ransomware infrastructure, and 16 people were either arrested, sanctioned or both by the U.S. or U.K.
