{ "id": "d81376ae-acca-473b-89b2-4f91df6bf5bd", "created_at": "2026-04-06T00:08:25.34069Z", "updated_at": "2026-04-10T03:26:47.143408Z", "deleted_at": null, "sha1_hash": "507319d10bcb5f332fb5f404a024eeaa0774a125", "title": "LockBit ransomware gang has over $110 million in unspent bitcoin", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3403916, "plain_text": "LockBit ransomware gang has over $110 million in unspent bitcoin\r\nBy Ionut Ilascu\r\nPublished: 2024-02-23 · Archived: 2026-04-05 15:30:52 UTC\r\nThe LockBit ransomware gang received more than $125 million in ransom payments over the past 18 months, according to\r\nthe analysis of hundreds of cryptocurrency wallets associated with the operation.\r\nFollowing the LockBit takedown in Operation Cronos, the National Crime Agency (NCA) in the U.K. with support from\r\nblockchain analysis company Chainalysis identified more than 500 cryptocurrency addresses being active.\r\nLockBit's money\r\nAfter hacking LockBit’s infrastructure, law enforcement obtained 30,000 Bitcoin addresses used for managing the group’s\r\nprofits from ransom payments.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-has-over-110-million-in-unspent-bitcoin/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-has-over-110-million-in-unspent-bitcoin/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nMore than 500 of these addresses are active on the blockchain and received over $125 million (at current Bitcoin value)\r\nbetween July 2022 and February 2024.\r\nThe investigation found that more than 2,200 BTC - more than $110 million at today’s exchange rate, remained unspent\r\nwhen LockBit was disrupted.\r\nA press release from the NCA today notes that “these funds represent a combination of both victim and LockBit payments”\r\nand that a significant part of this money represents the 20% fee that affiliates paid to the ransomware developers.\r\nThis means that the total figure for the ransoms victims paid to avoid a data leak is “far, far higher,” the NCA explains.\r\n(As the agency highlighted, the threat actor did not always delete stolen data, or all of it, even if the victim paid the ransom)\r\nThe law enforcement agency says that the amounts discovered in the investigation indicate that the actual ransom totals are\r\nin the hundreds of millions.\r\nIt is worth highlighting that the impressive amounts are representative only of 18 months of LockBit’s cybercriminal\r\nactivity.\r\n“Given that confirmed attacks by LockBit over their 4 years in operation total well over 2,000, this suggests that their impact\r\nglobally is in the region of multi-billions of dollars” - UK’s National Crime Agency\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-has-over-110-million-in-unspent-bitcoin/\r\nPage 3 of 5\n\nLockBit had $110+ million in 2,200 unspent bitcoins\r\nsource: NCA\r\nIn mid-June 2023, America’s Cyber Defense Agency (CISA) said that LockBit was responsible for 1,700 ransomware\r\nattacks in the U.S. since 2020 and the gang extorted victims of $91 million.\r\nThe NCA also said that taking over LockBit's infrastructure led to the discovery of 85 cryptocurrency exchange accounts,\r\nnow restricted by Binance, with hundreds of thousands of USD worth of crypto assets.\r\nAlmost four years in the game\r\nLockBit emerged in September 2019 (as ABCD) and focused on high-profile organizations such as Boeing, the UK Royal\r\nMail, Continental, Bangkok Airways, and Accenture.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-has-over-110-million-in-unspent-bitcoin/\r\nPage 4 of 5\n\nIt became the most active ransomware group, being responsible for most attacks of this type in 2023, switching between\r\nmultiple file encrypting malware over the years (LockBit 2.0, LockBit 3.0, LockBit Green) and a new one in the works.\r\nAt the time of its disruption, the LockBit group was also the oldest on the ransomware scene, and likely one of the largest\r\nwith close to 200 affiliates.\r\nLaw enforcement in 10 countries collaborated to take control of the threat actor’s infrastructure, coordinate the disruption,\r\ncollect information from the servers, make arrests, and impose sanctions.\r\nAlthough the hackers' infrastructure is controlled by law enforcement, the leaders of the group and most affiliates are yet to\r\nbe identified.\r\nThe U.S. State Department is offering up to $15 million in rewards to anyone who can provide information about LockBit\r\nransomware gang members and their partners.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-has-over-110-million-in-unspent-bitcoin/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-has-over-110-million-in-unspent-bitcoin/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-has-over-110-million-in-unspent-bitcoin/" ], "report_names": [ "lockbit-ransomware-gang-has-over-110-million-in-unspent-bitcoin" ], "threat_actors": [ { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434105, "ts_updated_at": 1775791607, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/507319d10bcb5f332fb5f404a024eeaa0774a125.pdf", "text": "https://archive.orkl.eu/507319d10bcb5f332fb5f404a024eeaa0774a125.txt", "img": "https://archive.orkl.eu/507319d10bcb5f332fb5f404a024eeaa0774a125.jpg" } }