Ukraine National Police
Police officers raiding the home of one of the suspects. Image: National Police of Ukraine

LockBit affiliates arrested in Ukraine, Poland

At least three affiliates of the notorious LockBit ransomware gang were arrested in Poland and Ukraine as part of the international takedown operation that began on Monday.

The announcements of the arrests came after the shutdown of LockBit's darknet website, which the group used to threaten victims and release their hacked data unless an extortion fee was paid.

Ukrainian cyber police said Wednesday they had arrested “a father and son” whose actions, supposedly on behalf of LockBit, “affected people, enterprises, state agencies, and healthcare institutions in France.”

While searching the suspects' apartments in the western Ukrainian city of Ternopil, the police confiscated their cell phones and computer gear, which they suspected were used to conduct cyberattacks.

In Poland, the police arrested a 38-year-old man in Warsaw. The alleged LockBit affiliate was taken to the prosecutor's office, where he was charged with criminal offenses. Polish authorities posted arrest footage on YouTube:

In both the Ukrainian and Polish cases, it is unclear what punishment the criminals will receive if found guilty.

More arrests are expected in the coming days as the international police said they have intelligence about who was using LockBit and the specific crimes they had committed. It is not clear which among those arrested were affiliates or part of the core LockBit gang.

Read More: LockBit held victims’ data even after receiving ransom payments to delete it

On Wednesday, the U.S. Department of State announced a $15 million reward for information leading to the arrest or conviction of any individual participating in the LockBit gang and for information leading to the identification or location of any key leaders of the group.

Earlier this week, the U.S. Department of Justice unsealed indictments against two alleged members of LockBit — Russian nationals Artur Sungatov and Ivan Kondratiev, an infamous hacker also known as Bassterlord. They allegedly used Lockbit ransomware against victims in the manufacturing, logistics, and insurance industries in five U.S. states and Puerto Rico, as well as in semiconductor and other industries around the world. The U.S. Treasury Department also announced on Tuesday that it’s sanctioning Sungatov and Kondratiev.

“The United States will not tolerate attempts to extort and steal from our citizens and institutions,” said Deputy Secretary of the Treasury Wally Adeyemo.”

Additionally, dual Russian-Canadian national Mikhail Vasiliev — who was charged in November 2022 for his alleged role in LockBit — is currently in custody in Canada awaiting extradition to the U.S., while Ruslan Astamirov is awaiting trial in the U.S. on charges filed last June related to deploying LockBit against victims in Florida, Kenya, France and Japan.

Another accused LockBit affiliate, Mikhail Matveev, also known as Wazawaka, has a $10 million bounty through the State Department’s Transnational Organized Crime Rewards Program following his indictment last May.

Operation Cronos

As a result of Operation Cronos announced Monday, law enforcement agencies from the U.S., U.K., and Europe seized at least 200 cryptocurrency accounts linked to LockBit criminals and took down 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the U.S., and the U.K. The contents of crypto wallets have not yet been disclosed.

LockBit operated as ransomware-as-a-service, providing its platform to customers for a fee since 2019. Researchers at Recorded Future attributed nearly 2,300 attacks to this threat actor, making it the most prolific ransomware group in the world. The group received more than $120 million in ransom payments.

The group is known for its attacks on hospitals, including the hack of Canada’s largest children’s hospital during the 2022 Christmas season, as well as the attack on a hospital system that forced multiple facilities in Pennsylvania and New Jersey to cancel appointments.

LockBit takedown is the latest in a series of law enforcement actions targeting ransomware gangs — late last year, the FBI and other agencies took down sites and infrastructure belonging to Qakbot, Rangar Locker and other groups.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.