View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

LockBit leader’s hidden identity unmasked on gang’s website by law enforcement coalition 

Russian national’s identity unmasked on LockBit's website two months after LockBit was raised and temporarily crippled by a joint US, UK and Australian law enforcement operation. 

By Greg Noone

The leader of the LockBit ransomware group has been revealed as Dmitry Khoroshev. A Russian national, Khoroshev’s identity as the mastermind behind the ransomware group was revealed in joint statements by the UK’s National Crime Agency and the US Department of Justice (DoJ). Known to most cybersecurity researchers as ‘LockBitSupp,’ Khoroshev is now subject to a US indictment, with the DoJ offering up to $10m for information that may lead to his arrest and conviction. The alleged cybercriminal is also being sanctioned by the US, UK and Australia.

“These sanctions are hugely significant and show that there is no hiding place for cybercriminals like Dmitry Khoroshev, who wreak havoc across the globe,” said the NCA’s director-general, Graeme Biggar. “Today’s announcement puts another huge nail in the LockBit coffin.”

A screenshot of LockBit's victim blog, under the control of law enforcement since February.
Ransomware gang LockBit’s victim blog has been under the control of a joint law enforcement coalition since February. (Image by Operation Cronos)

LockBit website used to reveal its leader’s hidden identity

According to the DoJ, Khoroshev is 31 and a resident of Voronezh, a small city in southwestern Russia. He has been charged with 25 counts of fraud, extortion, conspiracy to commit wire fraud and intention to cause damage to a protected computer, among other crimes. Operating LockBit according to a ransomware-as-a-service model, Khoroshev demanded a 20% cut of any ransom payment received as a result of using LockBit ransomware, a formula that the DoJ estimate netted the alleged cybercriminal a personal fortune of over $100m. 

Khoroshev’s identity was revealed as part of a joint effort by the NCA, FBI and other international partners to infiltrate and dismantle LockBit. Known as ‘Operation Cronos,’ the action led to the seizure of LockBit’s victim blog and, the NCA claims, a 73% reduction in the number of monthly attacks by the group against targets in the UK. However, the joint action did not completely succeed in disabling the gang, with the infamous LockBitSupp opining on a new .onion site that the organisation remained operational. 

Operation Cronos also led to an unprecedented intelligence haul on the gang’s inner workings and reach. In total, 194 affiliates were identified as having used the gang’s services. Of these, said the NCA, 148 built attacks and 119 engaged with victims over possible ransoms for their data, with deletion after the extortion process was completed far from routine. As a result of Operation Cronos, however, the NCA and its partners claim to have 2,500 decryption keys for victims of LockBit ransomware, with the former agency reaching out to some 240 victims in the UK.

Ransomware gang’s victims spread far and wide

Discovered by cybersecurity researchers in 2019, LockBit ransomware has been used in many high-profile breaches in recent years, with victims in the UK including the Post Office, the NHS and the Ministry of Defence. “The true impact of LockBit’s criminality was previously unknown, but data obtained from their systems showed that more than 7,000 attacks were built using their services between June 2022 and February 2024,” said Europol in a separate statement, with the top five countries hit being the UK, the US, France, Germany and China. 

Searchlight Cyber’s head of threat intelligence, Luke Donovan, praised law enforcement agencies for targeting Lockbit and choosing to publicly undermine the organisation’s reputation for criminal competence on its own website. This, said Donovan, “demonstrates a new playbook that other law enforcement task forces could emulate to make life difficult for ransomware groups and other cybercrime gangs.”

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Donovan warned, however, that LockBit was just one of several ransomware big beasts lurking on the dark web. “Any gap left by it will likely be filled by one or several of its competitors,” he said. “However, there is no doubt that this operation has been a major win for law enforcement, effectively exposing and disrupting one of the major culprits.”

Read more: UK trio among 12 new LockBit ransomware victims?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.