{ "id": "c1dc2a2e-cb3e-493a-aaa4-3a573dd6fda7", "created_at": "2026-04-06T00:21:31.627407Z", "updated_at": "2026-04-10T13:11:34.307372Z", "deleted_at": null, "sha1_hash": "f24f97152cf211689f7186ad5ebbb26a74032a7b", "title": "US unseals complaint against Russian-Israeli accused of working for LockBit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88177, "plain_text": "US unseals complaint against Russian-Israeli accused of working\r\nfor LockBit\r\nBy Alexander Martin\r\nPublished: 2024-12-20 · Archived: 2026-04-05 18:20:22 UTC\r\nThe U.S. unsealed a criminal complaint on Friday against a dual Russian and Israeli national who is accused of\r\nbeing a software developer for the LockBit ransomware group.\r\nRostislav Panev, 51, is currently detained in Israel, where the U.S. is seeking to have him extradited to face trial\r\non 40 counts, including for computer damage and extortion.\r\nAccording to the unsealed complaint, Panev worked for the cybercrime group from 2019 up until February 2024\r\n— the same month that law enforcement disrupted the LockBit scheme by seizing its darknet website and\r\ninfrastructure. \r\nThe complaint states that U.S. authorities had already developed significant independent evidence at the time of\r\nthe LockBit disruption linking Panev to a moniker used on a darknet cybercrime forum.\r\nSpeaking to the media following the lifting of a gag order yesterday, Panev’s lawyer, Sharon Nahari, told the\r\noutlet Ynet: “My client is a computer technician. His role was strictly limited to software development, and he\r\nwas neither aware of nor involved in the primary offenses he has been accused of, including fraud, extortion, and\r\nmoney laundering.”\r\nAccording to the complaint, an interview by Israeli authorities “yielded overwhelming evidence further\r\nestablishing PANEV’s role as a LockBit developer—and, specifically, as a developer of code for multiple LockBit\r\nbuilders and other critical LockBit facilities.”\r\nThe authorities also found Panev’s computer had access to the LockBit control panel, which they say was only\r\navailable to LockBit members who have undergone a vetting process and not to the general public.\r\n“Notably,” the complaint states, the panel included a handle to communicate with the panel's user on an\r\nunidentified decentralized, end-to-end encrypted messaging platform. The user's handle was \"FUCKFBI\"\r\nfollowed by other characters.\r\nA .onion domain was also discovered that hosted a Git repository — a tool for software developers to collaborate\r\non projects — that Panev is suspected of using to create several LockBit builders, the custom software used to\r\ngenerate the malware to infect the ransomware gang’s victims.\r\nAccording to the complaint, Panev has agreed to multiple voluntary interviews with Israeli authorities while in\r\ncustody during which time he admitted performing “multiple coding jobs for LockBit in exchange for\r\ncompensation.”\r\nhttps://therecord.media/us-unseals-lockbit-complaint-israel\r\nPage 1 of 3\n\nThese included writing code to disable Windows Defender antivirus; to propagate additional code throughout a\r\nnetwork via Windows Active Directory; and writing code “to print a given text on all printers on a given network\r\n(presumably, the LockBit ransom note).”\r\nPanev also told Israeli authorities that he was regularly paid $10,000 in cryptocurrency on a monthly basis — in\r\ntotal “at least approximately $230,000” — in exchange for his software development services, including code “for\r\nencryption malware and providing technical assistance.”\r\nThe complaint states that Panev claimed — dubiously, in the assessment of the U.S. authorities — that it was only\r\nover time he came to realise his work with LockBit may have been unlawful, although once he did he continued to\r\nwork for the group “for the money.”\r\nIsraeli judicial authorities are currently considering the U.S. extradition request.\r\nPanev’s arrest would be the latest in a series of law enforcement activities targeting the ransomware group’s\r\nassociates and affiliates. Several have been identified and arrested.\r\nOne, a Russian national called Aleksandr Ryzhenkov, was exposed and accused of also being one of the main\r\nmembers of the Evil Corp cybercrime group.\r\nFollowing the takedown, the cybercrime gang’s pseudonymous leader, LockBitSupp, was subsequently exposed as\r\nRussian national Dmitry Khoroshev. The U.S. indicted him and imposed financial sanctions, as did the United\r\nKingdom and Australia. LockBitSupp claimed the wrong man had been identified.\r\n“The arrest of Mr. Panev reflects the Department's commitment to using all its tools to combat the ransomware\r\nthreat,” said U.S. Deputy Attorney General Lisa Monaco. “We started this year with a coordinated international\r\ndisruption of LockBit — the most damaging ransomware group in the world. Fast forward to today and three\r\nLockBit actors are in custody thanks to the diligence of our investigators and our strong partnerships around the\r\nworld. This case is a model for ransomware investigations in the years to come.”\r\nhttps://therecord.media/us-unseals-lockbit-complaint-israel\r\nPage 2 of 3\n\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nSource: https://therecord.media/us-unseals-lockbit-complaint-israel\r\nhttps://therecord.media/us-unseals-lockbit-complaint-israel\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/us-unseals-lockbit-complaint-israel" ], "report_names": [ "us-unseals-lockbit-complaint-israel" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434891, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f24f97152cf211689f7186ad5ebbb26a74032a7b.pdf", "text": "https://archive.orkl.eu/f24f97152cf211689f7186ad5ebbb26a74032a7b.txt", "img": "https://archive.orkl.eu/f24f97152cf211689f7186ad5ebbb26a74032a7b.jpg" } }