LockbitSupp identified as Dmitry Khoroshev and indicted for ransomware crimes
Editor’s Note: Story updated 3:45 p.m. Eastern U.S. time with additional details.
LockbitSupp, the pseudonymous leader of the LockBit ransomware group, was identified as a Russian national called Dmitry Khoroshev on Tuesday as the United States, United Kingdom and Australia imposed financial sanctions against him.
A 26-count indictment has been unsealed in the U.S. charging Khoroshev, 31, with developing and operating the LockBit ransomware service. He is accused of growing LockBit “into a massive criminal organization that has, at times, ranked as the most prolific and destructive ransomware group in the world.”
The reveal of Khoroshev’s identity had been teased on the ransomware group’s own darknet extortion site, which was seized by the United Kingdom’s National Crime Agency (NCA) earlier this year. The site now hosts a wanted poster offering a reward of up to $10 million for information leading to his arrest and/or conviction.
According to the NCA, Khoroshev had “thrived on anonymity” and had himself “offered a $10 million reward to anyone who could reveal his identity.” In an interview with the Click Here podcast, he had claimed investigators had overstated how much they knew about him.
While the LockBit site had previously been used to publish stolen information from the ransomware gang’s victims, under the control of the NCA it is instead showing off how much information investigators have obtained from the service’s backend.
On Tuesday, police uploaded a wanted poster featuring two pictures of Khoroshev to the site, alongside posts detailing insights their investigation has produced so far.
Speaking to Recorded Future News on the sidelines of the RSA Conference in San Francisco, Brett Leatherman, the FBI's deputy assistant director for cyber operations, said “no Russian hacker should feel secure that they haven't been identified by the U.S. government.”
LockBit “represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals,” said FBI Director Christopher Wray in a written statement.
“The charges announced today reflect the FBI’s unyielding commitment to disrupting ransomware organizations and holding the perpetrators accountable,” Wray added.
Untold damage
LockBit had been the most impactful and prolific ransomware-as-a-service (RaaS) organization in operation over the past four years. It monetized cyberattacks disrupting thousands of businesses worldwide, including Boeing and Royal Mail.
The ransomware service “caused untold damage to schools, hospitals and major companies across the world, who’ve had to pick up the pieces following devastating cyber attacks,” said the NCA's director general Graeme Biggar.
LockBit-linked cyberattacks had repeatedly sought to profit by risking lives, including by forcing two major hospitals in upstate New York to divert ambulances, and, just days before Christmas, attacking Toronto’s Hospital for Sick Children, causing diagnostic and treatment delays for its patients — as well as extraordinary distress for the families affected — because clinical teams were struggling to receive lab reports and imaging results.
Similar to software-as-a-service companies, RaaS gangs provide a platform to customers. The customers were hackers (known as “affiliates” within the ransomware ecosystem) who after breaching a victim, then paid to access a LockBit control panel from which they use the service to encrypt devices on the target network and/or steal data and threaten to publish it on the platform’s darknet site unless an extortion fee was paid.
LockBit claimed that the affiliate responsible for targeting the children’s hospital back in 2022 had been blocked. But according to the NCA, this was a lie and the affiliate received multiple ransom payments after this attack and “remained an active LockBit actor until our operation in February.”
LockBit consistently published the data of more victims who refused to pay a ransom to its darknet extortion site than any other outfit, over 2,000 according to the latest count — more than its closest three competitors (Conti, AlphV, Clop) combined.
Khoroshev is accused of creating an effective RaaS enterprise — functioning more as a chief executive than a support account or an administrator as his moniker implied.
According to Jon DiMaggio — the chief security analyst at Analyst1 who told the Click Here podcast about infiltrating the LockBit group — Khoroshev upended the ransomware ecosystem by putting affiliates in charge of the extortion negotiations, with an automated system in place that saw LockBit collect roughly 20% of the extortion fee as a commission.
The indictment alleges “Khoroshev alone allegedly received at least $100 million in disbursements of digital currency through his developer shares of LockBit ransom payments.”
A cold wind for criminals
The Russian national is the sixth LockBit member to be charged with participating in the LockBit conspiracy. Earlier this year in February, Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, were accused of deploying the ransomware against numerous victims.
Another suspect, Ruslan Magomedovich Astamirov, also a Russian national, is currently in custody awaiting trial over his alleged participation with the cyber extortion service following a criminal complaint filed in June of last year.
A month earlier, two indictments were unsealed against Mikhail Matveev, also known as “Wazawaka,” with using LockBit to attack a large number of victims in the United States.
Back in November 2022, a dual Russian-Canadian national called Mikhail Vasiliev was also accused of being a LockBit affiliate. Vasiliev is currently in custody in Canada awaiting extradition to the United States.
The FBI’s Leatherman said: “If you look at the indictments, the sanctions against Russian actors, all of these have effect because those actors now know that if they want a better life outside of Russia, if they want to travel and do business, if they want to travel and vacation elsewhere, if they are under indictment or sanctions in the United States, they can no longer do that. And that should serve as a deterrent. That should serve as kind of a cold wind in Europe.”
Despite the latest action, there remain affiliates who have historically been involved with LockBit.
"We still have to hold them accountable for targeting U.S.-based companies," Leatherman said. "There's still money out there that has been extorted from victims that are in the hands of criminals. We want to understand where that money is and, if there's any opportunity to, get that money back."
Philip Sellinger, the U.S. Attorney for the District of New Jersey, said: “Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe.
“He thought he could do so hidden by his notorious moniker ‘LockbitSupp,’ anonymous and free of any consequence, while he personally pocketed $100 million extorted from Lockbit’s victims. Through relentless investigation and coordination with our partners at the Criminal Division’s Computer Crime and Intellectual Property Section, the FBI and abroad, we have proven him and his coconspirators wrong.”
In an “Away” status message on the messaging service Tox, LockbitSupp has denied being Dmitry Khoroshev. “The FBI is bluffing, I’m not Dmitry, I feel sorry for the real Dmitry))) oh, and he’ll get fucked for my sins))),” the Tax account states.
Additional reporting from Click Here’s Sean Powers.
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.
Martin Matishak
is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.