LockBit takedown: Police shut more than 14,000 accounts on Mega, Tutanota and Protonmail

The law enforcement operation to dismantle the LockBit ransomware service has announced shutting more than 14,000 accounts on third-party services used by affiliated criminals.

Accounts on file-hosting service Mega and encrypted email providers Tutanota and Protonmail were used “for exfiltration or infrastructure,” according to a post on LockBit’s seized darkweb domain.

Analysis of these accounts by Europol’s European Cybercrime Centre showed that some were also used in attacks using other ransomware variants, indicating they were operated by affiliates — the hackers using the LockBit platform.

“With each account representing a conduit for ill-gotten gains, this coordinated action strikes at the heart of cybercriminal operations, severely hampering their ability to profit from their nefarious activities,” states the LockBit .onion site, now controlled by British officials.

A spokesperson for Proton did not immediately respond to Recorded Future News when contacted for comment. Mega’s representative said: “Mega has zero tolerance for illegal activity. While fiercely guarding the privacy of legitimate users, Mega will not be a haven for illegal activity.”

A spokesperson for Tuta Mail said its terms and conditions prohibited users from using its service for criminal acts: “When we receive notice of abuse of our system, we check and close the accounts immediately. This includes any activity that is considered as criminal activity under German law, which would apply to accounts from the LockBit ransomware gang.”

The spokesperson added that “when receiving requests by law enforcement we are usually not informed to what criminal case this refers to exactly, which would be the LockBit ransomware gang in this case. Thus, we can not state if and how many accounts we closed in relation to this announcement by the National Crime Agency.”

Read More: LockBit held victims’ data even after receiving ransom payments to delete it

The third-party account closures are the latest announcement in a week of action planned following the National Crime Agency (NCA) led operation that took down the gang’s infrastructure on Monday evening.

During a press conference in London on Tuesday morning, the NCA’s director general, Graeme Biggar, announced his agency had “gained unprecedented and comprehensive access to LockBit’s systems.”

Three alleged affiliates have already been arrested following the takedown, with more arrests planned for the future.

“This is a long-term process. We have now gathered an awful lot of information, we’ll be closing in on those individuals, particularly when they’re in jurisdictions that we can reach. But now all of them know that we’re on to them, and we’re looking for them, and they will be forever now looking over their shoulder,” said Biggar.

On Wednesday, the U.S. Department of State announced a $15 million reward for information leading to the arrest or conviction of any individual participating in the LockBit gang and for information leading to the identification or location of any key leaders of the group.