Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court

An alleged developer behind the LockBit ransomware was extradited from Israel on Thursday, according to the Justice Department.

The dual Russian-Israeli national — 51-year-old Rostislav Panev — was arrested in Israel in August 2024 on U.S. charges related to dozens of LockBit ransomware attacks. 

“Rostislav Panev’s extradition to the District of New Jersey makes it clear: if you are a member of the LockBit ransomware conspiracy, the United States will find you and bring you to justice,” said U.S. Attorney John Giordano. 

Panev appeared in front of U.S. Magistrate Judge André Espinosa at a Newark, New Jersey, federal court on Thursday. He is facing 40 charges related to computer damage and extortion.

Since December, Justice Department officials have sought Panev’s extradition after a criminal complaint was unsealed last year accusing him of acting as a developer of the LockBit ransomware from 2019 to at least February 2024. 

Panev and others “grew LockBit into what was, at times, the most active and destructive ransomware group in the world,” prosecutors said, explaining that the gang attacked more than 2,500 victims in 120 countries.

The group attacked about 1,800 U.S.-based organizations including dozens of schools, hospitals, local governments, businesses and multinational corporations. LockBit members earned at least $500 million in ransoms until the group was disrupted in an international law enforcement operation last February. 

According to the DOJ, the group was split between affiliates who launched attacks and extorted victims while developers like Panev designed the code of the malware and maintained the infrastructure of the operation. The two groups would split ransom earnings. 

When Panev was arrested in August, prosecutors said law enforcement found his credentials “for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit’s affiliates to generate custom builds of the LockBit ransomware malware for particular victims.” 

Officers reportedly found an array of other tools used to facilitate attacks, including programs that allowed affiliates to siphon data out of victim systems and other operational control panels.

Panev is accused of sending direct messages to LockBit’s suspected primary administrator, Dimitry Yuryevich Khoroshev, known widely among cybercriminals as the gang’s frontman LockBitSupp. Khoroshev is still at large and the State Department issued a $10 million reward for information on him.  

Alleged contact with suspected leader

Panev is accused of sending direct messages to LockBit’s suspected primary administrator, Dimitry Yuryevich Khoroshev, known widely among cybercriminals as the gang’s frontman LockBitSupp. Khoroshev is still at large and the State Department issued a $10 million reward for information on him.  

“Court documents further indicate that, between June 2022 and February 2024, the primary LockBit administrator made a series of transfers of cryptocurrency, laundered through one or more illicit cryptocurrency mixing services, of approximately $10,000 per month to a cryptocurrency wallet owned by Panev. Those transfers amounted to over $230,000 during that period,” the Justice Department explained in a statement.

The takedown of the LockBit ransomware gang was led by the U.K. National Crime Agency (NCA) in February 2024 and involved the seizure of the gang’s front-facing websites. 

A total of seven LockBit members have been charged in the District of New Jersey. Mikhail Vasiliev and Ruslan Astamirov pleaded guilty last year to conducting ransomware attacks on behalf of LockBit.

In addition to Khoroshev, Russian nationals Artur Sungatov and Ivan Kondratyev were also charged last year but remain at large. Mikhail Matveev, known by his hacker name Wazawaka, was indicted by U.S. authorities in May 2023 and was arrested in Russia in December 2024. Russian national Aleksandr Ryzhenkov was also exposed and accused of also being one of the main members of the Evil Corp cybercrime group.

The State Department also issued $10 million rewards for information on the whereabouts of Matveev and anyone else who may have been involved in LockBit.

U.S. law enforcement agencies have urged all past victims of LockBit to contact them because a decryptor for the ransomware has been developed thanks to the 2024 operation.

"No one is safe from ransomware attacks, from individuals to institutions. Along with our international partners, the FBI continues to leave no stone unturned when it comes to following LockBit's trail of destruction,” said Acting Special Agent in Charge of the FBI Newark Division Terence Reilly.

“We will continue to work tirelessly to prevent actors, such as Panev, from hacking their way to financial gain.”