Authorities Identify and Sanction LockBit Ransomware Admin

In a significant development in the fight against cybercrime, authorities from the U.K. National Crime Agency (NCA), U.K. Foreign, Commonwealth and Development Office (FCD), the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), and the Australian Department of Foreign Affairs have unveiled a series of actions targeting the administrator and developer of the notorious LockBit ransomware group.

The Russian national, now identified as Dmitry Yuryevich Khoroshev, has been subjected to asset freezes, travel bans, and criminal charges for his role in orchestrating one of the world's most prolific and destructive ransomware operations.

The revelations come as part of the second phase of Operation Cronos, a collaborative effort led by the UK's National Crime Agency (NCA) and supported by Europol and Eurojust.

In February 2024, the first phase of the operation successfully compromised LockBit's primary platform and critical infrastructure, dealing a severe blow to the group's capability and credibility.

Data obtained from LockBit's seized systems revealed the staggering scale of their criminal activities. Between June 2022 and February 2024, the group launched over 7,000+ attacks, with the United States, United Kingdom, France, Germany, and China being the top five targeted countries.

The true financial impact of these attacks was previously unknown, but authorities have now confirmed that LockBit issued hundreds of millions of dollars in ransom demands, receiving at least $144 million in actual payments.

“Today’s indictment of LockBit developer and operator Dimitry Yuryevich Khoroshev continues the FBI’s ongoing disruption of the LockBit criminal ecosystem,” said FBI Director Christopher Wray.

“The LockBit ransomware group represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals. The charges announced today reflect the FBI’s unyielding commitment to disrupting ransomware organizations and holding the perpetrators accountable.”

Dimitry Yuryevich Khoroshev (Дмитрий Юрьевич Хорошев), also known as LockBitSupp, LockBit, and putinkrab, 31, of Voronezh, Russia, is charged by a 26-count indictment. Prosecutors in the United States detailed his alleged role as the creator, developer, and administrator of the LockBit ransomware variant.

The charges, returned by a federal grand jury in the District of New Jersey, include conspiracy to commit fraud, extortion, intentional damage to protected computers, and wire fraud. Khoroshev faces a maximum penalty of 185 years in prison and substantial fines if convicted.

In addition to the criminal charges, the U.S. Department of State has announced a reward of up to $10 million for information leading to Khoroshev's arrest and/or conviction. The Department of the Treasury has also designated Khoroshev for sanctions, freezing his assets and prohibiting U.S. persons from engaging in transactions with him.

The international Operation Cronos taskforce, which includes law enforcement agencies from France, Germany, the Netherlands, Sweden, Australia, Canada, Japan, the United Kingdom, and the United States, is continuing its efforts to identify and prosecute LockBit affiliates responsible for carrying out attacks using the group's ransomware-as-a-service (RaaS) model.

As a result of the investigation, law enforcement now possesses over 2,500 decryption keys and is actively contacting LockBit victims to offer support. Europol's European Cybercrime Centre (EC3) has disseminated approximately 3,500 victim intelligence packages to 33 countries, highlighting the global reach of the operation.

The NCA-controlled leak site, once used by LockBit to publish stolen data and extort victims, has been repurposed to host information exposing the criminal group's activities. This move serves as a powerful warning to cybercriminals that their anonymity is not guaranteed and that international law enforcement collaboration can lead to their unmasking and prosecution.

The actions taken against Khoroshev and the LockBit group underscore the commitment of the United States and its international partners to disrupt ransomware operations and bring those responsible to justice.

U.S. Attorney General Merrick B. Garland stated, "We will continue to work closely alongside our partners, across the U.S. government and around the world, to disrupt cybercrime operations like LockBit and to find and hold accountable those responsible for them."