NCA unmasks LockBitSupp cyber gangster who toyed with pursuers


The National Crime Agency (NCA), alongside the global partner agencies that participated in Operation Cronos, the operation against the LockBit ransomware gang, have formally named the crew’s leader, administrator and key developer LockBitSupp, as Dmitry Khoroshev.

Khoroshev, who at one point teased his pursuers by offering a $10m reward to anybody who could successfully reveal his true identity, will be subject to a series of asset freezes and travel bans, and has also today been charged in the United States with 26 offences relating to fraud, damage to protected computers, and extortion. The US authorities are also offering a multimillion dollar reward for information that might lead to his arrest and extradition.

“These sanctions are hugely significant and show that there is no hiding place for cyber criminals like Dmitry Khoroshev, who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong,” said NCA director Graeme Biggar.

“We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and credibility among the criminal community. The group’s attempt at rebuilding has resulted in a much less sophisticated enterprise with significantly reduced impact.

“Today’s announcement puts another huge nail in the LockBit coffin and our investigation into them continues. We are also now now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on schools, hospitals and major companies around the world,” said Biggar.

“Working with our international partners, we will use all the tools at our disposal to target other groups like LockBit, expose their leadership and undermine their operations to protect the public,” he added.

The operation against the notorious LockBit ransomware gang, Operation Cronos, unfolded on 19 February 2024 in an NCA-led operation that saw the agency infiltrate its network and take over its services, including its dark web leak site.

The NCA today said that the ransomware-as-a-service operation conducted over 7,000 cyber attacks between June 2022 and February 2025, with victims including over 100 hospitals and healthcare organisations, and at least 2,110 victims being forced into some degree of negotiation.

Out of 194 affiliates identified as using LockBit’s services up until February 2024, this has now fallen to 69 as the group struggles to rebuild. Of those active affiliates, 148 conducted attacks and 119 engaged in negotiations with victims, although up to 114 affiliates, who would have paid thousands to join LockBit’s programme, never actually made any money from their criminality.

It also added it had found multiple instances where the decryptor supplied by LockBit to victims that did pay never worked, and many others where LockBit failed to keep its ‘promise’ to delete stolen data once paid.

The NCA said it was now in possession of over 2,500 decryption keys and was continuing to contact LockBit’s victims to offer support. It has so far identified and contacted 240 victims in the UK.

LockBit’s rebuild not going well

Meanwhile, the group’s attempt to rebuild over the past couple of months appears to be going badly, with the gang still running at limited capacity, and its new leak site being used to publicise victims attacked before the takedown, as well as trying to take credit for the crimes of others.

The NCA’s latest data suggests that the number of monthly LockBit attacks in the UK has dropped by 73% since late February, and those attacks that are occurring are being carried out by less sophisticated actors with much less impact.

“Since Operation Cronos took disruptive action, LockBit has been battling to reassert its dominance and, most importantly, its credibility within the cyber criminal community,” said Don Smith, vice president of SecureWorks’ Counter Threat Unit.

“The psychological element of the action taken by law enforcement was extremely effective, the group’s efforts to re-establish its previous reputation have not gone particularly well. Today’s unmasking of Dmitry Khoroshev aka LockBit Supp, demonstrates the ability of law enforcement to deny cyber criminals the safety blanket of anonymity and place them at risk of arrest and prosecution if they travel out with their home country.”



Source link