{
	"id": "213d7a88-9fb4-4fc1-a216-6e35d27addf9",
	"created_at": "2026-04-06T00:06:30.225807Z",
	"updated_at": "2026-04-10T03:26:47.163044Z",
	"deleted_at": null,
	"sha1_hash": "fc8c072aefe0d245ae0671cb0bfdedaf636576b3",
	"title": "LockBit Takedown \u0026 Operation Cronos: A Long-Awaited PsyOps Against Ransomware | Analyst1",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2448680,
	"plain_text": "LockBit Takedown \u0026 Operation Cronos: A Long-Awaited PsyOps\r\nAgainst Ransomware | Analyst1\r\nBy Anastasia Sentsova\r\nPublished: 2024-02-29 · Archived: 2026-04-05 18:43:34 UTC\r\nContributor: Jon DiMaggio.\r\nOperation Cronos\r\nHis name was Cronos, the youngest leader of the first generation of Titans. He overthrew his father and ruled\r\nduring the mythological Golden Age until he was overthrown by his son, Zeus, and imprisoned in Tartarus.\r\nTartarus is the place in the underworld where souls are judged after death and the wicked receive divine\r\npunishment. \r\nThis is the Greek mythological story about Cronos, the name of which was likely chosen for the most epic\r\noperation against ransomware known to this day. On February 20, 2024, the taskforce “Operation\r\nCronos,” comprising of NCA, FBI, Europol, and others, including the public sector, announced the takedown of\r\none of the most prolific ransomware groups, LockBit. According to the Europol statement, the months-long\r\noperation has resulted in the compromise of LockBit’s data leak site and other critical infrastructure that enabled\r\ntheir criminal enterprise. This included the takedown of 34 servers in the Netherlands, Germany, Finland, France,\r\nSwitzerland, Australia, the United States and the United Kingdom.\r\nWe’ve seen various actions taken against ransomware in the past, including arrests, seizures, sanctions, and other\r\nmeasures. However, the approach chosen by law enforcement for this LockBit takedown is notably different. It\r\nseems that a new strategy was employed this time, involving PsyOps (Psychological Operations). In our blog, we\r\nwill summarize the takedown events, discuss LockBit’s comeback and actors’ response, and analyze details of this\r\noperation that represent an effective strategy for combating ransomware this time and moving forward.\r\nOn February 19, 2024, the LockBit data leak site used for the double-extortion technique displayed a seizure\r\nbanner. The message left by law enforcement stated, “We can confirm that LockBit’s services have been\r\ndisrupted. Return here for more information at 11.30 GMT on Tuesday 20th Feb.” The following day,\r\nLockBit’s data leak site appeared as usual with the same interface but with one slight adjustment. Instead of the\r\nusual list of cards displaying claimed victims, placeholders for victims contained a series of announcements about\r\nactions taken and details uncovering LockBit’s operations. With some of the information published by law\r\nenforcement on February 20, 2024, the rest was scheduled to be shared during the next four days. Ironically and\r\nof course, intentionally mirroring the countdown approach used by actors when threatening to leak their victims’\r\ndata.\r\nhttps://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/\r\nPage 1 of 9\n\nFigure 1: LockBit data leak site displays a seizure banner\r\nSource: Analyst1\r\nOverall data shared with the public included press releases, screenshots of the LockBit backend infrastructure,\r\ninternal chats, information relating to decryption keys law enforcement acquired, arrest announcements of\r\nsuspects in Poland and Ukraine, details of operations such as the takedown of the StealBit exfiltration tool used\r\nduring attacks and analysis of blockchain activity related to ransom payment proceeds. Reports by the cyber\r\nsecurity companies Trend Micro and Prodaft who assisted in the investigation, were also provided.\r\nMore significantly, law enforcement teased they planned to release the real-world identity of the person behind the\r\nLockBitSupp persona, who is a key member of the LockBit syndicate. According to law enforcement’s post on the\r\nseized webpage, seen below, they planned to release the information on February 23, 2024.\r\nhttps://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/\r\nPage 2 of 9\n\nFigure 2: A teaser of LockBitSupp identity reveal with a countdown set to be announced on\r\nFebruary 23, 2024\r\nSource: Analyst1\r\nThe intrigue surrounding the revelation of LockBitSupp’s identity is just one component of a broader PsyOps\r\ncampaign orchestrated by law enforcement. Indeed, when combating ransomware, success isn’t solely achieved by\r\ntargeting the technical aspect of the actor’s ecosystem. The NCA statement also confirmed this: “As of today,\r\nLockBit are locked out. We have damaged the capability and most notably, the credibility of a group that\r\ndepended on secrecy and anonymity.” After all, behind ransomware are real humans who, in fact, already have\r\nmastered psychological manipulation, not only of their victims but also of the informational landscape, including\r\nsocial media and traditional media outlets. This time, perhaps, it was law enforcement’s turn to play mastermind\r\ngames publicly.\r\nIn our next section, let’s look at what tactics were used to target human vulnerabilities of actors.\r\nTakedown Tactics\r\nTo understand the effectiveness of law enforcement’s PsyOps campaign, it’s essential to delve into two key\r\ncomponents pivotal to the success of ransomware operations: brand reputation and interpersonal relationships\r\namong actors. Additionally, analyzing LockBitSupp’s response is essential to gauge the impact of the takedown.\r\nGiven LockBitSupp’s outspoken nature, it was unsurprising that they issued a statement shortly after the\r\ntakedown. This analysis of the LockBitSupp reaction offers valuable insights into the efficacy of the PsyOps\r\ntactics deployed. Moreover, their response unveils the psychological triggers that resonated most strongly with\r\nransomware actors. Below are the visual reflecting tactics used to target each key component, which we will\r\nelaborate on in detail.\r\nhttps://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/\r\nPage 3 of 9\n\nFigure 3: Takedown tactics used to target non-technical key component crucial for LockBit\r\noperations\r\nSource: Analyst1\r\n1. Undermine Brand \u0026 Leader’s Credibility\r\nBrand reputation is paramount for ransomware groups, particularly those operating under the RaaS (Ransomware-as-a-Service) model. Establishing a solid reputation is crucial to attracting affiliates who are vital figures in\r\ngenerating revenue. This brand recognition and reputation is predominantly built across two key fronts: DarkWeb\r\nvisibility and media coverage.\r\nThroughout LockBit’s four-year operation, the group established a strong presence on the DarkWeb. The group\r\nalso had no problem receiving widespread media attention globally, contributing to the group’s notoriety in the\r\nbroader public sphere. Indeed, the more attention a ransomware group receives in the media, the more it solidifies\r\nits image as a formidable threat. This visibility can instill fear and urgency among potential victims, increasing the\r\nlikelihood of ransom payouts.\r\nDuring the week following the takedown announcement, the tone of reporting on LockBit shifted significantly.\r\nInstead of highlighting the group’s notoriety and its latest high-profile victims as usual, numerous articles praised\r\nLockBit’s defeat and revealed details that undermined its infamous status. For instance, reports surfaced regarding\r\nLockBit’s promise to delete victim’s data upon payment of ransom uncovered by law enforcement during the\r\ninvestigation. According to the NCA statement, “Some of the data on LockBit’s systems belonged to victims who\r\nhad paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that\r\ndata will be deleted, despite what the criminals have promised.” \r\nWith this information uncovered and presented to the world, law enforcement again emphasized the importance of\r\nnot trusting ransomware actors. However, this message may resonate even more firmly this time, encouraging\r\nransomware victims to exercise greater caution in their decision-making process. The revelation further\r\ndiminishes the likelihood of ransom payouts for LockBit, whose credibility was undermined by their “promise” to\r\ndelete data. LockBitSupp’s response, as expected, denied these allegations by stating, “These people dare to lie\r\nabout me supposedly not deleting stolen information of companies after paying the ransom, clowning around.”\r\nhttps://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/\r\nPage 4 of 9\n\nIn addition to exposing LockBit operations, the announcement of revealing the identity of LockBitSupp was a\r\ndeliberate tactic aimed at undermining a leader’s credibility. This move is indeed strategic, as in the case of\r\nLockBit, the LockBitSupp persona is closely tied to the group itself. In regular business, such strategy is often\r\nreferred to as “CEO branding” or “personal branding.” This approach can be advantageous as it adds a human\r\nelement to the brand and enhances trust and credibility (from affiliates in our LockBit case). However, it can also\r\npose risks, as any negative publicity or damage to the leader’s reputation can directly impact the company’s\r\nimage. So, by targeting and defeating LockBitSupp directly, the entire enterprise’s reputation is compromised.\r\nThis strategy was also intended to induce anxiety for LockBitSupp and, as a result, for all individuals involved in\r\nLockBit’s operations. The looming threat of exposing LockBitSupp’s identity was aimed at triggering\r\npsychological consequences that could disrupt their focus and decision-making. This strategy was used to exploit\r\nthe actors’ vulnerability by instilling fear and uncertainty, compromising the group’s operational efficiency.\r\nThe reveal of LockBitSupp’s identity didn’t happen as promised on February 23, 2024 (perhaps left for the better\r\nmoment). Even despite that, this tactic succeeded in applying psychological pressure on the actor, who also openly\r\nadmitted to feeling personally targeted. “I wonder why the alpha, revil, hive blogs were not designed so nicely?\r\nWhy weren’t their deanons published? Even though the FBI knows their identities? Strange isn’t it? Because\r\nwith such stupid methods FBI is trying to intimidate me and make me stop working.” \r\nInstead, the “Who is LockBitSupp” card was updated with details of information about the actor, stating that law\r\nenforcement is aware of where they live, what car they drive, and even stating that LockBitSupp, in fact,\r\ncooperating with law enforcement, once again undermining LockBit’s leader’s reputation and creating distrust\r\namong its members. Creating distrust among its members was another tactic which we will discuss in the next\r\nsection.\r\nFigure 4: Message left for LockBitSupp providing details of their identity\r\nSource: Analyst1\r\n2. Create distrust among LockBit members\r\nhttps://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/\r\nPage 5 of 9\n\nLockBitSupp stands out for the significant visibility that actor has across the DarkWeb and their active\r\nengagement within the underground community. Known for their creativity, LockBitSupp orchestrated\r\nvarious interactive events, such as the “Summer Paper Contest” announced in June 2020 and the LockBit tattoo\r\ncontest in September 2022. During the latter event, LockBitSupp offered a reward of around $1,000 to anyone\r\nwilling to get a tattoo featuring the LockBit logo.\r\nOperation Cronos couldn’t be more timely considering recent events that unfolded not in favor of LockBit and\r\nthe challenges they faced. Shortly before the announcement, on January 30, 2024, LockBitSupp was banned from\r\ntwo top-tier Russian-speaking DarkWeb forums following a complaint from a forum member. Interestingly, law\r\nenforcement referenced this incident in one of the announcement cards directed at LockBit, adding a layer of irony\r\nto the situation and LockBit’s personal shame. In our earlier blog, we discussed details of the ban event.\r\nCheck out the full blog “This Forum is a Bunch of Communists and They Set Me Up”, LockBit Spills the Tea\r\nRegarding Their Recent Ban on Russian-Speaking Forums\r\nFigure 5: One of the announcement cards reminding of LockBit’s recent ban\r\nSource: Analyst1\r\nWith these recent events and the law enforcement takedown, LockBit’s favorable position within the underground\r\ncommunity is now at risk of significant decline. The backlash from LockBit’s members may stem from their\r\nleader’s inability to protect their infrastructure as promised, thereby jeopardizing all members. Details shared\r\nduring the takedown included the publication of various information exposing these individuals. For instance, a\r\nscreenshot of the admin panel revealed the monikers of nearly 200 LockBit members. Additionally, the\r\nannouncement by The Justice Department (DOJ) regarding the indictment of two suspected LockBit members,\r\nArtur Sungatov and Ivan Kondratyev, also known as Bassterlord, adds to the complexity of the event.\r\nDespite the severity of the situation, LockBitSupp’s response appears to be dismissive: “I didn’t pay much\r\nattention to it, because for 5 years of swimming in money I became very lazy.” This attitude is certainly not the\r\nmost effective approach to addressing such a major setback. In addition, in their statement, LockBitSupp\r\nattempted to downplay law enforcement investigation, casually denying the role of those arrested or indicted and\r\nhttps://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/\r\nPage 6 of 9\n\nthe importance of intelligence obtained, “The generated nicknames of the partners, which have nothing to do\r\nwith their real nicknames on forums and even nicknames in messengers, not deleted chats with the attacked\r\ncompanies and accordingly wallets for money, which will be investigated and searched for all those who do not\r\nlaunder crypto, and possibly arrest people involved in laundering and accuse them of being my partners,\r\nalthough they are not. All of this information has no value because it is all passed to the FBI and without\r\nhacking the panel, after every transaction by insurance agents or negotiators.” , also denying the reveal of\r\nBassterlord’s identity, stating that the law enforcement named a wrong person, “Basssterlord is not caught, I\r\nknow Basssterlord’s real name, and it’s different than the poor guy the FBI caught.”\r\nFigure 6: Screenshot of admin panel with the list of LockBit’s monikers\r\nSource: Analyst1\r\nThis dynamic has the potential to further escalate and staring interpersonal relationships between actors, especially\r\nconsidering that some group members face consequences while the key member remains free, both physically and\r\nin terms of their identity not being publicly exposed. This distrust is also likely to be exacerbated by the apparent\r\nrepercussions faced by other LockBit members. Moreover, the insinuation from law enforcement about\r\nLockBitSupp’s potential cooperation doesn’t bolster their credibility either.  \r\nIn our next section, we will analyze how legal implications can exert pressure on LockBit’s operations and discuss\r\nwhy they are significant.\r\n3. Add pressure through legal matters\r\nAccording to the DOJ announcement, a U.S. indictment charged two individuals with attacks on multiple U.S. and\r\ninternational victims. These two individuals, Artur Sungatov and Ivan Kondratyev, both identified as Russian\r\nnationals residing in Russia.\r\nThe pursuit of ransomware actors through legal avenues presents both challenges and opportunities in the fight\r\nagainst cybercrime. Despite the global dispersion of these actors, the implementation of indictments and sanctions\r\nserves as a powerful tool for applying pressure and disrupting their illicit operations. While concerns exist\r\nregarding the cooperation of certain jurisdictions, such as Russia, the initiation of indictments can still have\r\nhttps://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/\r\nPage 7 of 9\n\nsignificant repercussions for ransomware actors, potentially drawing unwanted attention from their own\r\ngovernments. Previously hidden in the shadows of the underground, these actors suddenly might find themselves\r\nunder intense scrutiny from their own state, leaving them with little freedom. Just this alone can be an incredibly\r\npowerful tool for applying pressure.\r\nFurthermore, targeting cryptocurrency assets, enhances the effectiveness of law enforcement efforts. Thus, as part\r\nof the takedown, Operation Cronos Crypto Analysis revealed and seized multiple assets identified to have been\r\nused by actors to receive and launder ransom payment proceeds. By employing the appropriate tools for\r\nblockchain analysis, law enforcement can effectively disrupt ransomware operations by depriving actors of their\r\nillicit profits. This undermines their financial capabilities and sends a strong message of deterrence to other\r\ncybercriminals.\r\nIn response to law enforcement actions and the unveiling of blockchain analysis, LockBitSupp attempted to\r\ndiscredit the evidence presented, “I really dislike that all such throw-ins are made without publishing\r\ntransactions and wallets, thus it is impossible to verify what is true. You can accuse me of anything without\r\nproving anything, and there is no way I can refute it, because there are no transactions and bitcoin\r\nwallets.” Indeed, losing the battle on this front and their illicit profits are probably what hits actors the most. \r\nWith this ongoing battle, the question remains: what is LockBit’s next move, and will they survive? In our\r\nconcluding section, we will analyze what future might hold for LockBit.\r\nWhat the Future Holds for LockBit?\r\nOperation Cronos is one of several takedown operations executed against ransomware criminals over the past\r\nseveral years. Previous law enforcement operations targeted ransomware adversaries such as DarkSide, REvil,\r\nHive, and BlackCat. While most of these efforts disrupted the criminals’ operations significantly, some led to the\r\ncriminal’s demise. Other groups chose to rebrand and rebuild their operations from scratch, using new monikers to\r\nmask their previous criminal identities. On rare occasions, like the current situation with LockBit and previously\r\nwith BlackCat, ransomware groups attempt to weather the storm and maintain their brand.\r\nThere is no question that Operation Cronos delivered a significant blow to the LockBit ransomware program.\r\nHowever, now, LockBit is trying to restore its operation and wants to prove to the world that it’s still the top-running ransomware gang. Its quick return was no surprise to Analyst1 based on our long-rgyhunning relationship\r\nwith the real-world person leading the gang, who is a narcissist with an immense ego. With the threat of prison\r\nand a lifetime of having to look over his shoulder, you would think, why doesn’t he simply walk away? The\r\nanswer can be summarized in one word… vengeance.\r\nTo obtain the revenge it seeks, in the coming months, we expect LockBitSupp will encourage its affiliates to prey\r\non high-profile targets, including Fortune 500 companies, hospitals, government, and other organizations that will\r\nallow the gang to profit and make headlines, which it desperately needs to restore it once untarnished criminal\r\nbrand. Additionally, the actor will almost certainly update its ransom payload, which has not seen a refresh since\r\nJune of 2022 and will retool its operation with updated resources. Understand that LockBit considers the\r\ntakedown personal, which, in our opinion, it was. After years of making statements to Analyst1’s Jon DiMaggio,\r\nsuch as “You and the FBI are too dumb to catch me” it appears the law enforcement wanted to make an\r\nexample of the group and all who support it, which they did. The following points detail how this was achieved:\r\nhttps://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/\r\nPage 8 of 9\n\n1. The taskforce “Operation Cronos” did not just seize LockBit’s infrastructure; it gained access to all of\r\nLockBitSupp’s private and often sensitive operational conversations from the Tox communication\r\napplication the gang uses to discuss day-to-day operations.\r\n2. Law enforcement collected information on all of LockBit’s affiliates from the ransomware admin panel,\r\nincluding IP logs, ransom negotiations logs, decryption keys, and obtained cryptocurrency addresses used\r\nto launder ransom payment proceeds.\r\n3. The integrity of the group’s infrastructure was harmed significantly raising concerns about further law\r\nenforcement compromise of LockBit’s operations. This is due to visibility into LockBit’s infrastructure and\r\nintelligence that was obtained that would allow silently watching and collecting information on its criminal\r\nparticipants and the gang’s operations.\r\n4. Most significantly, Operation Cronos invoked doubt and fear amongst the criminal community who trusted\r\nLockBit to keep their anonymity and operational security safe. LockBitSupp failed them and possibly\r\nhimself. The law enforcement may not have publicly deanonymized LockBitSupp, but it inferred that\r\nLockBitSupp cooperated with them in order to keep his identity private.\r\nFor these reasons, LockBit’s recovery will be challenging, and it has much to overcome to accomplish a\r\nmeaningful return, let alone to successfully enact the vengeance it so desperately seeks. Still, we should not\r\ndiscount LockBit as the actor has proved to be a worthy adversary and has overcome significant challenges in the\r\npast. Further, law enforcement must be ready for round two of this fight, as all signs indicate that LockBit is now\r\nmore motivated than ever. Analyst1 will be watching, and continuing report on our analysis of LockBit and\r\nsupport the war against ransomware!\r\nAbout Analyst1\r\nThreat intelligence teams often struggle to bridge the gap from insight to action. Analyst1 is the Orchestrated\r\nThreat Intelligence Platform designed to resolve this issue. It automatically organizes threat data, links it to your\r\nassets and vulnerabilities, and customizes views for different roles. Analyst1’s orchestration layer streamlines\r\nworkflows and automates reliable actions by integrating with SIEM, ticketing, and vulnerability management\r\nsystems. From Fortune 500 financial institutions to national security agencies, enterprises trust Analyst1 to unify\r\ntheir defenses, significantly reducing their response time from days to minutes.\r\nSource: https://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/\r\nhttps://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/"
	],
	"report_names": [
		"lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware"
	],
	"threat_actors": [
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-10T02:00:04.752608Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433990,
	"ts_updated_at": 1775791607,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc8c072aefe0d245ae0671cb0bfdedaf636576b3.pdf",
		"text": "https://archive.orkl.eu/fc8c072aefe0d245ae0671cb0bfdedaf636576b3.txt",
		"img": "https://archive.orkl.eu/fc8c072aefe0d245ae0671cb0bfdedaf636576b3.jpg"
	}
}