{
	"id": "74a25a05-2291-453e-905b-85152c5a6c44",
	"created_at": "2026-04-06T02:12:46.783488Z",
	"updated_at": "2026-04-10T03:29:40.160613Z",
	"deleted_at": null,
	"sha1_hash": "4933c15575e93049ffd5668bdc86918ef3611289",
	"title": "In interview, LockbitSupp says authorities outed the wrong guy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 318089,
	"plain_text": "In interview, LockbitSupp says authorities outed the wrong guy\r\nBy Dina Temple-Raston\r\nPublished: 2024-05-09 · Archived: 2026-04-06 02:01:46 UTC\r\nThe leader of the LockBit ransomware gang, who goes by the name LockbItSupp, told Click Here in an interview\r\nthat international law enforcement has made a mistake: He is not Dmitry Yuryevich Khoroshev, the Russian\r\nnational they say is the mastermind of the group.\r\n U.S. and British authorities identified  Khoroshev this week, releasing not just his name, but a picture that\r\nimmediately went viral of a young Russian with close cropped hair and big biceps. He’s smiling sheepishly into\r\nthe camera in one photo and leaning against a pool table in another.\r\n“Identifying and charging Khoroshev is an immense achievement,” Principal Deputy Assistant Attorney General\r\nNicole Argentieri said in a statement on Tuesday. “Through the meticulous work of our investigators and\r\nprosecutors, we have unmasked the man behind LockBitSupp.”\r\nDmitry Khoroshev has now been sanctioned by the U.S., U.K. and Australia and was charged with 26 criminal\r\ncounts, including extortion and hacking. Taken together, they carry a maximum penalty of 185 years in prison.\r\nThe Justice Department has also offered a $10 million reward for information leading to his arrest.\r\nNot LockbitSupp? The U.S. wanted poster featured two photos of Dmitry Khoroshev.\r\nLockbitSupp told Click Here that law enforcement has attached the wrong person to his alias.  He underscored the\r\npoint in an out of the office message on the Tox messaging app. \"The FBI is bluffing, I’m not Dmitry, I feel sorry\r\nfor the real Dmitry,” he wrote. “Oh, and he’ll get f**** for my sins.” (The asterisks are ours.)\r\nLockBit is one of the most prolific ransomware groups in the world, linked to thousands of attacks on hospital\r\nsystems, big corporations, cities, and critical infrastructure. LockbitSupp said the gang is still hard at work\r\nplanning new attacks despite the seizure of the group’s servers and infrastructure by international law enforcement\r\nin February. \r\nhttps://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit\r\nPage 1 of 7\n\nThe conversation, conducted over an encrypted messaging app and translated from Russian, has been edited for\r\nclarity and length. (You can hear more from the interview on Click Here’s Mic Drop on Friday.)\r\nCLICK HERE: So, tell us, are you Dmitry Khoroshev, the person law enforcement has identified\r\nas LockbitSupp?\r\nLOCKBITSUPP: No.\r\nCH: Khoroshev apparently lives in a modest apartment about 100 miles south of Moscow in a city called\r\nVoronezh … have you ever been there?\r\nLS: No.\r\nCH: Where were you when the National Crimes Agency and the Department of Justice unsealed the\r\nindictment against Dmitry Khoroshev?\r\nLS: I found out on the site of my former blog, which was despicably stolen by the FBI [in February when law\r\nenforcement seized LockBit’s servers.\r\nI’m very interested in how the FBI decided that I was Dmitry Khoroshev. How did they find this person — based\r\non what facts? Where is the proof? I always thought that the United States is a rule-of-law state, that without\r\nevidence you can’t accuse an innocent person. I was wrong. \r\nCH: Law enforcement appears, at least in part, to be reacting to information it unearthed during Operation\r\nCronos, when they seized LockBit’s servers in February. So maybe this Khoroshev is someone you know?\r\nLS: I do not know this person.\r\nCH: If it isn’t you, is he one of the people who works with you, perhaps one of your affiliates?\r\nLS: How do I know who this person is? My partners don't tell me their names.\r\nCH: In that same vein, now the the indictment is unsealed and there are pictures of Khoroshev that have\r\ngone viral, what are you telling the people who have been working with you?\r\nLS: That the FBI got it wrong.\r\nCH: What are affiliates saying to you about all of this?\r\nLS: Nothing. Everyone knows it's a mistake.\r\nCH: Are your competitors in the ransomware space — groups like AlphV, BlackCat, Clop, Royal —\r\nreacting? Do you see them trying to take advantage of and undermine your position as a leading\r\nransomware group?\r\nLS: What competitors? I don’t know of any worthy competitors, but I really want them to appear. It’s a pity to\r\nlook at the current “competitors.”\r\nCH: So you say you aren’t Khoroshev, do you have any proof that they’ve got the wrong guy? \r\nhttps://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit\r\nPage 2 of 7\n\nLS: Yes, but how? How can I convince the whole world that this person is not me?\r\nCH: Given all this attention LockBit seems to be getting from law enforcement, are you stepping back a\r\nbit? We’ve noticed that we’ve heard and seen less of you than we did at the beginning of the year.\r\nLS: I'm not reducing [attacks]. Spring is always less productive than winter. This is a seasonal phenomenon.\r\nCH: When the National Crime Agency said back in February that you had “engaged with law\r\nenforcement” what did they mean?\r\nLS: This is a bluff and an attempt to cause reputational damage. They cannot remove me. They want me to leave\r\non my own so that no one will work with me.\r\nCH: What does the future of LockBit look like now that law enforcement is clearly putting pressure on\r\nyou? What is your one-year and five-year goal?\r\nLS: The goal is the same as always: to attack 1 million companies. The pressure from law enforcement only\r\nmotivates me and makes me work harder.\r\nCH: What have you been up to since February 19, 2024?\r\nLS: Work.\r\nCH: Can you share details about what you’re working on right now?\r\nLS: I can't. I like to give surprises.\r\nCH: The last time we talked to you, you had been banned from two prominent Russian-language\r\ncybercrime forums. Any new developments on that?\r\nLS: I'm still looking for the administrator of xss.is. As long as I have several suspects, revenge is inevitable.\r\nCH: It looks like the National Crime Agency has access to what you’re doing now, with a new list of affiliate\r\nIDs who have registered since the takedown on February 24. What can you tell us about that?\r\nLS: I will say that they have the source codes. Thanks to the source codes, they gained access to the list of\r\npartners. I have already eliminated this shortcoming. Every time, I get stronger.\r\nCH: Did the National Crime Agency in the UK get your new ransomware, the Lockbit 4.0 upgrade, during\r\nthe takedown?\r\nLS: No.\r\nCH: We've also heard you have been targeting Chinese companies a bit more. Are you worried this is going\r\nto increase your risk from the FSB?\r\nLS: This is not true. we attack the whole world, everyone who comes into our hands.\r\nhttps://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit\r\nPage 3 of 7\n\nCH: Did you know about the RSA conference in the United States? Did you ever expect to be a big topic of\r\nconversation there?\r\nLS: I don’t know what kind of conference this is. I’m not interested. If they're discussing me and want to destroy\r\nme, then I’m on the right track.\r\nCH: Do you have a message to the world?\r\nLS: Join my affiliate program and get rich with me.\r\nCH: Anything else you’d like to say?\r\nLS: The FBI, like all law enforcement officers, lie and think only about their personal careers. They don’t care\r\nabout the fate of innocent people. The main thing for them is a bonus from their superiors and certificate of honor\r\nwith a new title and promotion.\r\nHear more from LockbitSupp on Click Here:\r\nhttps://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit\r\nPage 4 of 7\n\nDina Temple-Raston\r\nis the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future\r\nNews. She previously served on NPR’s Investigations team focusing on breaking news stories and national\r\nsecurity, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were\r\nYou Thinking.”\r\nhttps://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit\r\nPage 5 of 7\n\nSean Powers\r\nis a Senior Supervising Producer for the Click Here podcast. He came to the Recorded Future News from the\r\nScripps Washington Bureau, where he was the lead producer of \"Verified,\" an investigative podcast. Previously, he\r\nwas in charge of podcasting at Georgia Public Broadcasting in Atlanta, where he helped launch and produced\r\nabout a dozen shows.\r\nhttps://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit\r\nPage 6 of 7\n\nJade Abdul-Malik\r\nis a producer for the Click Here podcast. She has worked on podcasts with Gimlet Media and Sony Music\r\nEntertainment and was a reporter for Georgia Public Broadcasting in Atlanta.\r\nSource: https://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit\r\nhttps://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit"
	],
	"report_names": [
		"lockbitsupp-interview-ransomware-cybercrime-lockbit"
	],
	"threat_actors": [
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-10T02:00:04.752608Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441566,
	"ts_updated_at": 1775791780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4933c15575e93049ffd5668bdc86918ef3611289.pdf",
		"text": "https://archive.orkl.eu/4933c15575e93049ffd5668bdc86918ef3611289.txt",
		"img": "https://archive.orkl.eu/4933c15575e93049ffd5668bdc86918ef3611289.jpg"
	}
}