Share this article
The U.S. Department of Justice (DOJ) has identified Russian national Dmitry Khoroshev as the mastermind behind the infamous LockBit ransomware gang and is offering a $10 million reward for information leading to his arrest.
In a 26-count criminal indictment unsealed Tuesday morning, prosecutors alleged that Khoroshev, 31, developed, promoted and oversaw LockBit software to recruit “affiliates” from cybercrime forums who carried out actual ransomware attacks. The affiliate will give Khoroshev 20% of his earnings, usually paid in Bitcoin (BTC), once the ransom is paid.
According to prosecutors, LockBit became one of the world’s most prolific ransomware tools after first appearing in 2019 until most of its infrastructure was seized earlier this year. The gang’s network of affiliates attacked approximately 2,500 victims, 1,800 of them in the United States, and extorted approximately $500 million in ransom.
The indictment states that Koroshev was paid $100 million in Bitcoin through his activities in the course of LockBit’s operations. U.S. authorities are also seeking confiscation of his ill-gotten gains.
In addition to the criminal charges, Koroshev also received sanctions from the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), banning all Americans, including victims of the LockBit ransomware attack, from doing business with him.
One Bitcoin address associated with Khoroshev was added to the department’s list of “specially designated nationals.” Notably, our search results show that there have only been 2 transactions at this address, with the last transaction date being in 2021.
But law enforcement action against LockBit is not over yet. In February 2024, the National Crime Agency (NCA) and multinational law enforcement agencies carried out ‘Operation Kronos’ with the support of private intelligence agencies, inflicting a major blow to Rockbit’s operations.
The operation resulted in the seizure of LockBit’s dark website, hacking infrastructure, source code and cryptocurrency accounts, and the recovery of over 1,000 decryptor keys to help victims recover their encrypted data. Two people were arrested and sanctions were imposed on the Russian LockBit affiliate.
According to Chainalytic, they identified hundreds of active wallets and 2,200 bitcoins worth about $110 million in unspent LockBit ransomware proceeds that had not yet been laundered and transferred.
Despite the charges and sanctions, Khoroshev remains active and continues to run LockBit, according to a March interview with The Record. Five other LockBit members were also charged with participating in the criminal activity, and at least one, Mikhail Vasiliev, a dual Russian-Canadian citizen, was sentenced to prison.
Koroshev faces a total of 26 charges, including conspiracy to defraud, extortion, wire fraud, intentional damage to a protected computer, and extortion for information unlawfully obtained from a protected computer. If convicted, he could face up to 185 years in prison.
Share this article