{ "id": "a15dcaaa-636a-43f0-b54a-a230536ca95b", "created_at": "2026-04-06T00:06:46.371573Z", "updated_at": "2026-04-10T03:26:47.161725Z", "deleted_at": null, "sha1_hash": "996b72e178f0b2940c00e457793353464f34a99d", "title": "LockBit leader unmasked and sanctioned", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3603962, "plain_text": "LockBit leader unmasked and sanctioned\r\nBy cms-user26\r\nArchived: 2026-04-05 21:45:04 UTC\r\nA leader of what was once the world’s most harmful cyber crime group has been unmasked and sanctioned by the\r\nUK, US and Australia, following a National Crime Agency-led international disruption campaign.\r\nThe sanctions against Russian national Dmitry Khoroshev\r\n(pictured), the administrator and developer of the LockBit ransomware group, are being announced today by the\r\nFCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the\r\nAustralian Department of Foreign Affairs.\r\nKhoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could\r\nreveal his identity, will now be subject to a series of asset freezes and travel bans.\r\nUS partners have also unsealed an indictment against him and are offering a reward of up to $10m for information\r\nleading to his arrest and/or conviction.\r\nThe actions targeting Khoroshev form part of an extensive and ongoing investigation into the LockBit group by\r\nthe NCA, FBI, and international partners who form the Operation Cronos taskforce.\r\nLockBit provided ransomware-as-a-service (RaaS) to a global network of hackers or ‘affiliates’, supplying them\r\nwith the tools and infrastructure to carry out attacks.\r\nhttps://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned\r\nPage 1 of 6\n\nIn February the NCA announced that it had infiltrated the group’s network and taken control of its services,\r\nincluding its leak site on the dark web, which compromised the entire criminal enterprise.\r\nThe true impact of LockBit’s criminality was previously unknown, but data obtained from their systems showed\r\nthat between June 2022 and February 2024, more than 7,000 attacks were built using their services. The top five\r\ncountries hit were the US, UK, France, Germany and China.\r\nPictured: the NCA took control of the group's services including its leak site on the dark web\r\nAttacks targeted over 100 hospitals and healthcare companies and at least 2,110 victims were forced into in some\r\ndegree of negotiation by cyber criminals.\r\nThe group has attempted to rebuild over the last two months, however the NCA assesses that as a result of this\r\ninvestigation, they are currently running at limited capacity and the global threat from LockBit has significantly\r\nreduced.\r\nLockBit have created a new leak site on which they have inflated apparent activity by publishing  victims targeted\r\nprior to the NCA taking control of its services in February, as well as taking credit for attacks perpetrated using\r\nother ransomware strains.\r\nData shows that the average number of monthly LockBit attacks has reduced by 73% in the UK since February’s\r\naction, with other countries also reporting reductions. Attacks appear to have been carried out by less sophisticated\r\naffiliates with lower levels of impact.\r\nAs well as uncovering the real-world identity of LockBitSupp, the Operation Cronos investigation has given the\r\nNCA and partners a deep insight into LockBit’s operations and network.\r\nOf the 194 affiliates identified as using LockBit’s services up until February 2024:\r\nhttps://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned\r\nPage 2 of 6\n\n148 built attacks.\r\n119 engaged in negotiations with victims, meaning they definitely deployed attacks.\r\nOf the 119 who began negotiations, there are 39 who appear not to have ever received a ransom payment.\r\n75 did not engage in any negotiation, so also appear not to have received any ransom payments.\r\nThis means up to 114 affiliates paid thousands to join the LockBit programme and caused unknown levels of\r\ndamage, meaning they will targeted by law enforcement, but never made any money from their criminality.\r\nActive affiliate numbers have also significantly reduced, to 69, since February.\r\nThe NCA uncovered numerous examples of attacks where the decryptor provided by LockBit to victims who had\r\npaid ransoms failed to work, and where they received no support from affiliates or LockBit, further highlighting\r\ntheir untrustworthiness.\r\nhttps://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned\r\nPage 3 of 6\n\nIn one affiliate attack against a children’s hospital in December 2022, LockBitSupp issued an apologetic statement\r\non their leak site and confirmed it had provided the decryptor to the victim for free.\r\nIt said the attacker had “violated our rules”, had been blocked and was no longer in their affiliate programme. In\r\nfact, they remained an active LockBit affiliate up until the February 2024 disruption, with NCA analysis showing\r\nthey went on to build 127 unique attacks, engage in 50 negotiations with victims and received multiple ransom\r\npayments.\r\nFinally, as was established by investigators, LockBit did not routinely delete stolen data once a ransom was paid.\r\nhttps://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned\r\nPage 4 of 6\n\nNCA Director General Graeme Biggar said: “These sanctions are hugely significant and show that there is no\r\nhiding place for cyber criminals like Dmitry Khoroshev, who wreak havoc across the globe. He was certain he\r\ncould remain anonymous, but he was wrong.\r\n“We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and\r\ncredibility among the criminal community. The group’s attempt at rebuilding has resulted in a much less\r\nhttps://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned\r\nPage 5 of 6\n\nsophisticated enterprise with significantly reduced impact.\r\n“Today’s announcement puts another huge nail in the LockBit coffin and our investigation into them continues.\r\nWe are also now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on\r\nschools, hospitals and major companies around the world.\r\n“Working with our international partners, we will use all the tools at our disposal to target other groups like\r\nLockBit, expose their leadership and undermine their operations to protect the public.”\r\nSanctions Minister, Anne-Marie Trevelyan said: “Together with our allies we will continue to crack down on\r\nhostile cyber activity which is destroying livelihoods and businesses across the world. \r\n“In sanctioning one of the leaders of LockBit we are taking direct action against those who continue to threaten\r\nglobal security, while simultaneously exposing the malicious cyber-criminal activity emanating from Russia.”\r\nSecurity Minister Tom Tugendhat said: “Cyber criminals think they are untouchable, hiding behind anonymous\r\naccounts as they try to extort money from their victims.\r\n“By exposing one of the leaders of LockBit, we are sending a clear message to these callous criminals. You cannot\r\nhide. You will face justice.”\r\nThe NCA and international partners are now in possession of over 2,500 decryption keys and are continuing to\r\ncontact LockBit victims to offer support. The Agency has so far proactively reached out to nearly 240 LockBit\r\nvictims in the UK.\r\nPublic reporting is absolutely vital in supporting global law enforcement to tackle ransomware effectively. If you\r\nare in the UK, you should use the Government’s Cyber Incident Signposting Site as soon as possible, for direction\r\non which agencies to report your incident to.\r\nThe Operation Cronos taskforce includes the NCA, the South West Regional Organised Crime Unit (SWROCU),\r\nand Metropolitan Police Service in the UK; FBI and the Department of Justice in the US; Europol, Eurojust, and\r\nlaw enforcement partners in France (Gendarmerie), Germany (LKA and BKA), Switzerland (Fedpol and Zurich\r\nCantonal Police), Japan (National Police Agency), Australia (Australian Federal Police), Sweden (Swedish Police\r\nAuthority), Canada (RCMP), and the Netherlands (National Police - Politie).\r\nThis operation was also supported by the National Bureau of Investigation in Finland.\r\n07 May 2024\r\nSource: https://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned\r\nhttps://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned" ], "report_names": [ "lockbit-leader-unmasked-and-sanctioned" ], "threat_actors": [ { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434006, "ts_updated_at": 1775791607, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/996b72e178f0b2940c00e457793353464f34a99d.pdf", "text": "https://archive.orkl.eu/996b72e178f0b2940c00e457793353464f34a99d.txt", "img": "https://archive.orkl.eu/996b72e178f0b2940c00e457793353464f34a99d.jpg" } }