{ "id": "e6f85834-92d8-46b4-a778-8ff183927ff4", "created_at": "2026-04-06T00:21:10.127542Z", "updated_at": "2026-04-10T03:33:15.639984Z", "deleted_at": null, "sha1_hash": "468f0610c5be313017fae57774aca11d6d481de5", "title": "US seeks extradition of alleged LockBit ransomware developer from Israel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 83545, "plain_text": "US seeks extradition of alleged LockBit ransomware developer\r\nfrom Israel\r\nBy Alexander Martin\r\nPublished: 2024-12-19 · Archived: 2026-04-05 14:51:32 UTC\r\nThe United States is attempting to extradite an Israeli citizen, Rostislav Panev, who is charged with working as a\r\nsoftware developer for the LockBit ransomware group.\r\nPanev is accused of assisting LockBit between 2019 and 2024, according to the extradition request reported by\r\nYnet news. He was allegedly paid approximately $230,000 in bitcoin to develop tools for LockBit, including one\r\nthat printed ransom notes from any printers connected to the compromised system.\r\nA gag order relating to Panev’s extradition was lifted on Thursday, although he has been under arrest since August\r\n18. Authorities in the U.S. requested the gag order to prevent other LockBit suspects also under investigation from\r\nfleeing to Russia. It is not clear whether this was successful.\r\nLockBit extortion letters and digital wallets linked to Panev’s remuneration from the gang were allegedly\r\ndiscovered at his home in Haifa.\r\nPanev’s lawyer, Sharon Nahari, told Ynet: “My client is a computer technician. His role was strictly limited to\r\nsoftware development, and he was neither aware of nor involved in the primary offenses he has been accused of,\r\nincluding fraud, extortion, and money laundering.”\r\nThe arrest follows a law enforcement operation to disrupt LockBit earlier this year, when a week of revelations\r\nfollowed what Britain’s National Crime Agency described as an operation that provided “unprecedented”\r\nintelligence from the criminals’ infrastructure.\r\nIts pseudonymous leader, LockBitSupp, was subsequently exposed as a Russian national, Dmitry Khoroshev. The\r\nU.S. indicted him and imposed financial sanctions, as did the United Kingdom and Australia. LockBitSupp\r\nclaimed the wrong man had been identified.\r\nSeveral of the ransomware scheme’s affiliates have also been identified and arrested. One, a Russian national\r\ncalled Aleksandr Ryzhenkov, was exposed and accused of also being one of the main members of the Evil Corp\r\ncybercrime group.\r\nhttps://therecord.media/lockbit-suspect-rostislav-panev-us-seeks-extradition-israel\r\nPage 1 of 2\n\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nSource: https://therecord.media/lockbit-suspect-rostislav-panev-us-seeks-extradition-israel\r\nhttps://therecord.media/lockbit-suspect-rostislav-panev-us-seeks-extradition-israel\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/lockbit-suspect-rostislav-panev-us-seeks-extradition-israel" ], "report_names": [ "lockbit-suspect-rostislav-panev-us-seeks-extradition-israel" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434870, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/468f0610c5be313017fae57774aca11d6d481de5.pdf", "text": "https://archive.orkl.eu/468f0610c5be313017fae57774aca11d6d481de5.txt", "img": "https://archive.orkl.eu/468f0610c5be313017fae57774aca11d6d481de5.jpg" } }