In interview, LockbitSupp says authorities outed the wrong guy
The leader of the LockBit ransomware gang, who goes by the name LockbItSupp, told Click Here in an interview that international law enforcement has made a mistake: He is not Dmitry Yuryevich Khoroshev, the Russian national they say is the mastermind of the group.
U.S. and British authorities identified Khoroshev this week, releasing not just his name, but a picture that immediately went viral of a young Russian with close cropped hair and big biceps. He’s smiling sheepishly into the camera in one photo and leaning against a pool table in another.
“Identifying and charging Khoroshev is an immense achievement,” Principal Deputy Assistant Attorney General Nicole Argentieri said in a statement on Tuesday. “Through the meticulous work of our investigators and prosecutors, we have unmasked the man behind LockBitSupp.”
Dmitry Khoroshev has now been sanctioned by the U.S., U.K. and Australia and was charged with 26 criminal counts, including extortion and hacking. Taken together, they carry a maximum penalty of 185 years in prison. The Justice Department has also offered a $10 million reward for information leading to his arrest.
Not LockbitSupp? The U.S. wanted poster featured two photos of Dmitry Khoroshev.
LockbitSupp told Click Here that law enforcement has attached the wrong person to his alias. He underscored the point in an out of the office message on the Tox messaging app. "The FBI is bluffing, I’m not Dmitry, I feel sorry for the real Dmitry,” he wrote. “Oh, and he’ll get f**** for my sins.” (The asterisks are ours.)
LockBit is one of the most prolific ransomware groups in the world, linked to thousands of attacks on hospital systems, big corporations, cities, and critical infrastructure. LockbitSupp said the gang is still hard at work planning new attacks despite the seizure of the group’s servers and infrastructure by international law enforcement in February.
The conversation, conducted over an encrypted messaging app and translated from Russian, has been edited for clarity and length. (You can hear more from the interview on Click Here’s Mic Drop on Friday.)
CLICK HERE: So, tell us, are you Dmitry Khoroshev, the person law enforcement has identified as LockbitSupp?
LOCKBITSUPP: No.
CH: Khoroshev apparently lives in a modest apartment about 100 miles south of Moscow in a city called Voronezh … have you ever been there?
LS: No.
CH: Where were you when the National Crimes Agency and the Department of Justice unsealed the indictment against Dmitry Khoroshev?
LS: I found out on the site of my former blog, which was despicably stolen by the FBI [in February when law enforcement seized LockBit’s servers.
I’m very interested in how the FBI decided that I was Dmitry Khoroshev. How did they find this person — based on what facts? Where is the proof? I always thought that the United States is a rule-of-law state, that without evidence you can’t accuse an innocent person. I was wrong.
CH: Law enforcement appears, at least in part, to be reacting to information it unearthed during Operation Cronos, when they seized LockBit’s servers in February. So maybe this Khoroshev is someone you know?
LS: I do not know this person.
CH: If it isn’t you, is he one of the people who works with you, perhaps one of your affiliates?
LS: How do I know who this person is? My partners don't tell me their names.
CH: In that same vein, now the the indictment is unsealed and there are pictures of Khoroshev that have gone viral, what are you telling the people who have been working with you?
LS: That the FBI got it wrong.
CH: What are affiliates saying to you about all of this?
LS: Nothing. Everyone knows it's a mistake.
CH: Are your competitors in the ransomware space — groups like AlphV, BlackCat, Clop, Royal — reacting? Do you see them trying to take advantage of and undermine your position as a leading ransomware group?
LS: What competitors? I don’t know of any worthy competitors, but I really want them to appear. It’s a pity to look at the current “competitors.”
CH: So you say you aren’t Khoroshev, do you have any proof that they’ve got the wrong guy?
LS: Yes, but how? How can I convince the whole world that this person is not me?
CH: Given all this attention LockBit seems to be getting from law enforcement, are you stepping back a bit? We’ve noticed that we’ve heard and seen less of you than we did at the beginning of the year.
LS: I'm not reducing [attacks]. Spring is always less productive than winter. This is a seasonal phenomenon.
CH: When the National Crime Agency said back in February that you had “engaged with law enforcement” what did they mean?
LS: This is a bluff and an attempt to cause reputational damage. They cannot remove me. They want me to leave on my own so that no one will work with me.
CH: What does the future of LockBit look like now that law enforcement is clearly putting pressure on you? What is your one-year and five-year goal?
LS: The goal is the same as always: to attack 1 million companies. The pressure from law enforcement only motivates me and makes me work harder.
CH: What have you been up to since February 19, 2024?
LS: Work.
CH: Can you share details about what you’re working on right now?
LS: I can't. I like to give surprises.
CH: The last time we talked to you, you had been banned from two prominent Russian-language cybercrime forums. Any new developments on that?
LS: I'm still looking for the administrator of xss.is. As long as I have several suspects, revenge is inevitable.
CH: It looks like the National Crime Agency has access to what you’re doing now, with a new list of affiliate IDs who have registered since the takedown on February 24. What can you tell us about that?
LS: I will say that they have the source codes. Thanks to the source codes, they gained access to the list of partners. I have already eliminated this shortcoming. Every time, I get stronger.
CH: Did the National Crime Agency in the UK get your new ransomware, the Lockbit 4.0 upgrade, during the takedown?
LS: No.
CH: We've also heard you have been targeting Chinese companies a bit more. Are you worried this is going to increase your risk from the FSB?
LS: This is not true. we attack the whole world, everyone who comes into our hands.
CH: Did you know about the RSA conference in the United States? Did you ever expect to be a big topic of conversation there?
LS: I don’t know what kind of conference this is. I’m not interested. If they're discussing me and want to destroy me, then I’m on the right track.
CH: Do you have a message to the world?
LS: Join my affiliate program and get rich with me.
CH: Anything else you’d like to say?
LS: The FBI, like all law enforcement officers, lie and think only about their personal careers. They don’t care about the fate of innocent people. The main thing for them is a bonus from their superiors and certificate of honor with a new title and promotion.
Hear more from LockbitSupp on Click Here:
Dina Temple-Raston
is the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future News. She previously served on NPR’s Investigations team focusing on breaking news stories and national security, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were You Thinking.”
Sean Powers
is a Senior Supervising Producer for the Click Here podcast. He came to the Recorded Future News from the Scripps Washington Bureau, where he was the lead producer of "Verified," an investigative podcast. Previously, he was in charge of podcasting at Georgia Public Broadcasting in Atlanta, where he helped launch and produced about a dozen shows.
Jade Abdul-Malik
is a producer for the Click Here podcast. She has worked on podcasts with Gimlet Media and Sony Music Entertainment and was a reporter for Georgia Public Broadcasting in Atlanta.