US, UK authorities unmask Russian national as LockBit administrator

The U.S. and British governments on Tuesday identified Dmitry Yuryevich Khoroshev as the leader, developer and administrator of the LockBit ransomware operation, one of the most prolific and profitable cybercriminal syndicates in recent years.

Khoroshev, a Russian national, has been LockBit’s main administrator and developer since at least September 2019 continuing through the present, U.S. federal prosecutors said in an indictment unsealed Tuesday. Since its inception, LockBit has been used in attacks against more than 2,500 targets in at least 120 countries, leading to at least $500 million in ransom payments to Khoroshev and his affiliates and “billions of dollars in broader losses, such as revenue, incident response, and recovery,” the Department of Justice said in a statement.

Khoroshev is charged with one count of conspiracy to commit fraud, extortion and related activity in connection with computers, one count of conspiracy to commit wire fraud, eight counts of intentional damage to a protected computer, eight counts of extortion in relation to confidential information from a protected computer, and eight counts of of extortion in relation to damage to a protected computer.

The charges carry a maximum penalty of 185 years in person, according to the DOJ.

Alongside the indictment, the U.S., British and Australian governments announced sanctions against Khoroshev. The U.S. State Department also announced a $10 million reward for any information leading to his arrest and/or conviction.

“As part of our unrelenting efforts to dismantle ransomware groups and protect victims, the Justice Department has brought over two dozen criminal charges against the administrator of LockBit, one of the world’s most dangerous ransomware organizations,” Deputy Attorney General Lisa Monaco said in a statement. “Working with U.S. and international partners, we are using all our tools to hold ransomware actors accountable — and we continue to encourage victims to report cyberattacks to the FBI when they happen. Reporting an attack could make all the difference in preventing the next one.”

Tuesday’s actions come a little more than two months after an international law enforcement operation seized parts of the LockBit infrastructure as part of “Operation Cronos.” As part of that operation, the U.S. government unsealed indictments against two Russian nationals for their alleged roles in facilitating LockBit attacks: Artur Sungatov and Ivan Gennadievich Kondratyev (also known as “Bassterlord”). 

After the February operation, authorities teased that they knew the identity of the main administrator — the actual person behind the “LockBitSupp” persona that communicates with journalists and others online, and used LockBit’s website to share information about the operation. 

After the news came out Thursday, LockBitSupp told CyberScoop in an online chat that authorities identified the wrong person, and that the pictures and other materials being shared were incorrect. As for what comes next: “Work, hard work, more work,” LockBitSupp said.

LockBitSupp reconstituted some of the infrastructure after the disruption, and attempted to make it look like it was business as usual, even as observers said LockBit was reposting old victims and claiming they were new. The new site listed 44 new victims and 25 victim updates, according to the Secureworks Counter Threat Unit, the majority of which were genuinely new. 

“Since Operation Cronos took disruptive action, LockBit has been battling to reassert its dominance and, most importantly, its credibility within the cybercriminal community,” Secureworks Counter Threat Unit VP Don Smith said in an email to CyberScoop. “The psychological element of the action taken by law enforcement was extremely effective, the group’s efforts to re-establish its previous reputation have not gone particularly well. Today’s unmasking of Dmitry Khoroshev aka LockBit Supp, demonstrates the ability of law enforcement to deny cybercriminals the safety blanket of anonymity and place them at risk of arrest and prosecution if they travel out with their home country.”

The weekend prior to the announcement, authorities in control of LockBit’s website hinted that more information about LockBitSupp’s identity was coming. When asked about the authorities’ looming announcement, LockBitSupp offered CyberScoop a simple reaction: “I don’t know,” he said via online chat. “I like it.”

This story was updated May 7, 2024, to include a denial from “LockBitSupp” that they are the person identified by law enforcement as the administrator of LockBit.