Rostislav Panev, a 51-year-old dual Russian and Israeli national, has been extradited to the United States on charges related to his alleged role as a developer for the notorious LockBit ransomware group.
The extradition, which took place on March 13, 2025, follows Panev’s arrest in Israel in August pursuant to a U.S. provisional arrest request.
Upon his initial appearance before U.S. Magistrate Judge André M. Espinosa, Panev was ordered detained pending trial on a 41-count indictment that details his involvement with one of the world’s most destructive ransomware operations.
Developer Behind LockBit Ransomware Arrested
According to court documents, Panev served as a developer for LockBit from its inception in 2019 through at least February 2024, during which time he and his co-conspirators built LockBit into what authorities describe as “the most active and destructive ransomware group in the world.”
Federal prosecutors allege that the LockBit operation attacked more than 2,500 victims across at least 120 countries, including 1,800 targets in the United States ranging from hospitals and schools to critical infrastructure and government agencies.
When Israeli authorities arrested Panev in Haifa, they discovered administrator credentials on his computer for a dark web repository containing source code for multiple versions of the LockBit builder, which allowed affiliates to generate custom builds of the ransomware for specific victims.
Investigators also found credentials for the LockBit control panel and StealBit tool, which facilitated data exfiltration from compromised networks.
During questioning by Israeli authorities, Panev reportedly admitted to developing specific technical components for LockBit, including code to disable Windows Defender and creating programs that used Active Directory to deploy malware across victim networks.
He also acknowledged developing functionality that printed ransom notes to all printers connected to a victim’s network, a psychological tactic designed to amplify the impact of the attack.
Global Effort to Dismantle LockBit
Technical analysis of LockBit 3.0, also known as “LockBit Black,” reveals sophisticated execution techniques, including command execution, batch scripts, and extensive use of the Native Windows API and PowerShell to interface with system components.
LockBit ransomware also implements service execution mechanisms using tools such as PsExec and employs data encryption for impact to render targeted data inaccessible.
Financial records indicate that between June 2022 and February 2024, Panev received monthly cryptocurrency payments of approximately $10,000, totaling over $230,000, allegedly from LockBit’s primary administrator, Dmitry Yuryevich Khoroshev, who remains at large.
The U.S. Department of State has offered a reward of up to $10 million for information leading to Khoroshev’s arrest.
“Rostislav Panev’s extradition to the District of New Jersey makes it clear: if you are a member of the LockBit ransomware conspiracy, the United States will find you and bring you to justice,” said United States Attorney John Giordano.
Law enforcement agencies worldwide continue their efforts to dismantle the LockBit infrastructure and hold accountable those responsible for attacks that have allegedly extracted at least $500 million in ransom payments and caused billions in additional losses.
Panev’s attorney has maintained that his client was “neither aware of nor involved in the primary offenses he has been accused of,” claiming Panev’s role was “strictly limited to software development.”
The LockBit case illustrates the evolving nature of cybercrime prosecution, where developers and infrastructure maintainers are held as accountable as those who deploy the attacks.
As this case proceeds through the justice system, it serves as a powerful deterrent to others involved in ransomware operations while offering a measure of justice to the thousands of victims who suffered financial and operational damages from LockBit’s devastating attacks.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
