The U.S. has succeeded in extraditing a suspected LockBit ransomware developer who was arrested last year.
Rostislav Panev, 51, a dual Russian and Israeli national, was arrested last year in Israel on a U.S. provisional arrest request. The U.S. Department of Justice (DOJ) announced yesterday that Panev has been extradited to the U.S. on charges that he was a developer for the LockBit ransomware group.
Following an initial court appearance before U.S. Magistrate Judge André M. Espinosa, Panev was detained pending trial.
“Rostislav Panev’s extradition to the District of New Jersey makes it clear: if you are a member of the LockBit ransomware conspiracy, the United States will find you and bring you to justice,” U.S. Attorney John Giordano said in a statement. “Even as the means and methods of cybercriminals become more sophisticated, my Office and our FBI, Criminal Division, and international law enforcement partners are more committed than ever to prosecuting these criminals.”
Panev’s extradition comes as the LockBit ransomware group tries to relaunch following a year of international law enforcement efforts.
LockBit Ransomware Developer Worked for Group Since Launch
According to court documents and statements, Panev was a developer of the LockBit ransomware group from its inception around 2019 through at least February 2024.
“During that time, Panev and his LockBit coconspirators grew LockBit into what was, at times, the most active and destructive ransomware group in the world,” the DOJ statement said.
The LockBit group claimed more than 2,500 victims in at least 120 countries, including 1,800 in the U.S., the DOJ said.
According to Cyble data, Lockbit has been by far the most active ransomware group in recent years. Even after a year of reduced activity, the group’s 2,700+ victims are still triple the total of the next nearest group, the CL0P ransomware group.
However, one attack in particular was ill-advised, a 2022 attack on the Toronto Hospital for Sick Children, which led to an apology from LockBit along with a free decryptor – and increased law enforcement attention.
LockBit extracted at least $500 million in ransom payments from victims and caused billions of dollars in other losses, the DOJ said.
LockBit members were comprised of “developers” like Panev, who designed the LockBit malware code and maintained operational infrastructure, and “affiliates,” who carried out attacks and extorted victims. They split the ransom payments.
Panev Evidence Cited
A superseding complaint alleges that at the time of Panev’s arrest last August, law enforcement found on his computer the administrator credentials for an online repository that was hosted on the dark web and contained source code for multiple versions of the LockBit builder, which allowed affiliates to generate custom builds for particular victims.
The repository also contained source code for LockBit’s StealBit tool, which was used for exfiltration, the DOJ said, adding that law enforcement also discovered access credentials for the LockBit control panel maintained by the developers for affiliates.
The complaint also alleges that Panev “exchanged direct messages through a cybercriminal forum with LockBit’s primary administrator,” alleged by the U.S. to be Dmitry Yuryevich Khoroshev, also known as LockBitSupp, LockBit, and putinkrab. Those messages discussed work that needed to be done on the LockBit builder and control panel.
Between June 2022 and February 2024, the U.S. claims that the primary LockBit administrator “made a series of transfers of cryptocurrency, laundered through one or more illicit cryptocurrency mixing services, of approximately $10,000 per month to a cryptocurrency wallet owned by Panev. Those transfers amounted to over $230,000 during that period.”
The DOJ said that in interviews with Israeli authorities following his arrest, “Panev admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work, consistent with the transfers identified by U.S. authorities.”
That work allegedly included code to disable antivirus software, to deploy malware to multiple computers connected to a victim network, and to print the LockBit ransom note to all printers connected to a victim network. The U.S. says Panev “also admitted to having written and maintained LockBit malware code and to having provided technical guidance to the LockBit group.”
Seven LockBit members have now been charged in the District of New Jersey, according to the DOJ. Beyond Panev and Khoroshev, who remains at large, other previously charged LockBit suspects include:
Affiliates Mikhail Vasiliev, also known as Ghostrider, Free, Digitalocean90, Digitalocean99, Digitalwaters99, and Newwave110, and Ruslan Astamirov, also known as BETTERPAY, offtitan, and Eastfarmer, who pled guilty and are awaiting sentencing.
Affiliates Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, have also been charged and remain at large, as has Mikhail Matveev, also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar. Rewards of up to $10 million have been offered for the at-large suspects.
