Law enforcement in the United States, United Kingdom, and Australia today jointly named Russian national Dmitry Yuryevich Khoroshev as the alleged operator of the LockBitSupp handle and the organizational mastermind behind the notorious LockBit ransomware group, which has been on a multiyear hacking rampage exporting an estimated $500 million from its victims.
For years, the leader of LockBit has remained an enigma. Carefully hiding behind their online moniker, LockBitSupp has evaded identification and bragged that people wouldn’t be able to reveal their offline identity—even offering a $10 million reward for their real name.
Law enforcement’s linking of Khoroshev to LockBitSupp comes after police in the UK infiltrated the LockBit group’s systems and made several arrests—taking its servers offline, gathering the group’s internal communications, and putting a stop to LockBit’s hacking spree. The law enforcement takedown, dubbed Operation Cronos and led by the UK’s National Crime Agency (NCA), has essentially neutralized the hacking group and sent ripples through the wider Russian cybercrime ecosystem.
In addition to being named, Khoroshev has also been sanctioned by the US, UK, and Australia. According to the US Office of Foreign Assets Control, Khoroshev is 31 and lives in Russia, with details of his sanction designation also listing multiple email addresses and cryptocurrency addresses, alongside his Russian passport details. The US has also filed an indictment against him.
Khoroshev did not immediately respond to messages sent to email addresses listed in the sanctions.
A 26-count indictment published by the US Department of Justice lists a litany of charges, including: conspiracy to commit fraud, extortion, and hacking. The charges have a maximum penalty of 185 years in prison, the DOJ says.
The indictment says Khoroshev has acted as the LockBit group's “developer and administrator” since around September 2019, designing and developing its “control panel” used within ransomware attacks. Khoroshev and the LockBit group managed to extort at least $500 million from victims in 120 countries around the world, including Russia, which is rarely targeted by Russian cybercriminals, the indictment says. It says he received around $100m from this activity.
Before the takedown earlier this year, LockBit had risen to become one of the most prolific ransomware groups ever, launching hundreds of attacks per month and ruthlessly publishing stolen data from companies if they refused to pay. Boeing, the UK’s Royal Mail postal service, a children’s hospital in Canada, and the Industrial and Commercial Bank of China were all included in LockBit’s or its affiliates’ recent roster of victims. In one instance, the DOJ indictment says, LockBit demanded $200 million from one aeronautical and defense corporation based in Virginia.
Investigators are also starting to unpick more details about the scale and scope of LockBit’s operations. The NCA’s senior investigating officer, who is not being publicly named due to their continued involvement in the operation, says LockBit listed 2,350 victims publicly on its leak site up to the end of December 2023, but that this is just a small fraction of its hacking activity.
Within its system, there were 7,000 “attack builds” for unique victims, the investigator says. The US, UK, France, Germany, and China were the most targeted companies. More than 100 hospitals were listed, despite LockBit having internal rules not to target medical facilities. “When they said we will fire the individual publicly for doing that, they didn't fire the individual,” the investigator says.
“If you are a cyber criminal, and you are operating in these marketplaces, or forums or platforms, you cannot be certain that law enforcement are not in there observing you and taking action against you,” says Paul Foster, the head of the NCA’s National Cyber Crime Unit.
Rise of Supp
LockBit first emerged in 2019 as a fledgling “ransomware-as-a-service” (RaaS) platform. Under this setup, a core handful of individuals, organized by the LockBitSupp handle, created the group’s easy-to-use malware and launched its leak website. This group licenses LockBit’s code to “affiliate” hackers who launched attacks and negotiated ransom payments, eventually providing LockBit with around 20 percent of their profits.
Despite launching thousands of attacks, the group initially tried to keep a low profile compared to other ransomware groups. Over time, as LockBit became more well known and started to dominate the cybercrime ecosystem, its members became more brazen and arguably careless. The NCA senior investigator says they pulled data about 194 affiliates from LockBit’s systems and are piecing together their offline identities—only 114 of them didn’t make any money, the investigator says. “There were some that were incompetent and didn't carry out attacks,” they say.
At the center of it all was the LockBitSupp persona. The NCA investigator says there were “numerous” examples of the LockBit administrator directly “taking responsibility” for high-profile or high-ransom negotiations after affiliates had initially attacked the companies or organizations.
The DOJ indictment claims Khoroshev, as LockBitSupp, kept a close track of his affiliates, keeping databases of each affiliate and the victims they had targeted. “In some cases, Khoroshev demanded identification documents from his affiliate co-conspirators, which he also maintained on his infrastructure,” the indictment says.
Jon DiMaggio, a researcher at cybersecurity firm Analyst1, has spent years researching LockBit and communicating with the LockBitSupp handle. “He treated it like a business and often sought out feedback from his affiliate partners on how he could make the criminal operation more effective,” DiMaggio says. The LockBitSupp character would ask affiliates what they needed in order to more effectively do their work, the researcher says.
“He did not simply take money for himself, but he reinvested it into developing his operation and making it more desirable to criminals,” DiMaggio says. Throughout the lifecycle of the LockBit group, two major updates and releases of its malware happened, with each more capable and easier to use than the last. Analysis from the law enforcement operation by security company Trend Micro shows it was working on a new version too.
DiMaggio says the person he was speaking to privately using the LockBitSupp moniker was “arrogant” but “all business and very serious”—aside from sending cat stickers as part of chats. Publicly, on Russian language cybercrime forums where hackers trade data and discuss hacking politics and news, LockBitSupp was entirely different, DiMaggio says.
“The persona he amplified on the Russian hacking forums was a mix of a supervillain and Tony Montana from Scarface,” DiMaggio says. “He flaunted his success and money, and it rubbed people the wrong way at times.”
In addition to setting a bounty on their own identity, LockBitSupp’s more innovative and erratic side also organized an essay-writing competition on the hacking forums, offered a “bug bounty” if people found flaws in LockBit’s code, and said they would pay $1,000 to anyone who got the LockBit logo as a tattoo. Around 20 people posted pictures and videos of their tattoos.
Soon after law enforcement claimed to have revealed LockBitSupp’s identity, DiMaggio published new research about Khoroshev. Using a tip he received, plus open source intelligence and leaked information on the dark web, DiMaggio found social media profiles and extra personal information believed to be linked to the Russian national.
“He owns several legitimate businesses, also based out of Voronezh, drives a Mercedes, and previously owned a Mazda 6, not a lambo as he often boasts,” DiMaggio writes in the research. One of the email addresses included in the sanctions has links to a Russia-based e-commerce business registered in the name of Khoroshev, he writes. Several other emails and phone numbers were connected to these details, DiMaggio's research says.
LockBitSupp was banned from two prominent Russian-language cybercrime forums in January after a complaint was made about their behavior. “They’ve made partners, supporters, haters, and fans over the years,” says Victoria Kivilevich, director of threat research at security firm KELA.
Analysis of cybercrime forums by Kivilevich shows the Russian-language ecosystems had mixed responses, including surprise when LockBit was first compromised by law enforcement. “Users gloating that LockBit finally failed and got what he deserved, making references to his statements where he bragged how [about how] LockBit ‘RaaS’ is secure and better than any other operations,” Kivilevich says.
Other forum users questioned the technical decisions of LockBitSupp and whether they had collaborated with law enforcement, the researcher says. There were forum users who reacted neutrally, “mostly saying the operation won’t affect LockBit much and the operation will continue to exist,” Kivilevich says.
Downfall
After Operation Cronos took LockBit offline in February, it took LockBitSupp only five days to create replica versions of the group’s leak site. The website then started to be filled with apparent victims; it seemed like the LockBit group hadn’t been impacted by having all of its internal secrets accessed by police around the world.
These recently posted victims aren’t what they seem, though, multiple experts say. “The actual law enforcement intervention has been significant,” says Matt Hull, the global head of threat intelligence at cybersecurity firm NCC Group. The NCA says the number of LockBit affiliates has dropped to 69 since its February takedown, while the DOJ indictment says LockBit’s victim count has “greatly diminished” since then.
On top of this, much of the credibility of the LockBit brand has been destroyed. Hull says he is seeing smaller ransomware affiliates and groups “really starting to distance themselves” from LockBit and moving around other RaaS operations. “It’s unlikely that we’ll see another big name like LockBit appearing with those sorts of numbers unless there’s some massive rebranding or some sudden change in allegiance toward the individuals behind LockBit,” Hull says.
As for LockBitSupp, it’s unlikely they’ll respond well to being publicly identified. When Operation Cronos took down LockBit’s systems in February, police repurposed its leak website to publish details about the group itself. After the takedown, the DOJ indictment says, Khoroshev got in touch with law enforcement—but was trying to “stifle his competition.”
He “offered his services in exchange for information regarding the identity of his RaaS competitors,” the indictment says. “Specifically Khoroshev asked law enforcement during that exchange to, in sum and substance, '[g]ive me the names of my enemies'." Ahead of law enforcement naming Khoroshev, a countdown appeared on the website, and LockBitSupp responded by publishing scores of victims.
“LockBitSupp has a lot of enemies and people waiting to take his place,” says DiMaggio, the Analyst1 researcher, who adds it is unlikely they will stop their actions, although it will be harder to continue. “It is much easier to be a bad guy when no one knows who you are. His reputation is shot and that will be very difficult to come back from.”
