This article was published on May 8, 2024

Meet the leader of LockBit, the ‘most active ransomware gang ever’

Unmasking LockBit's mastermind could 'reignite leads' but also embolden the gang, experts say


Meet the leader of LockBit, the ‘most active ransomware gang ever’

Cybercrime hunters have unmasked the alleged leader of LockBit, a hacker network dubbed the “most active ransomware group ever.”

LockBit gained global notoriety for holding victims’ data to ransom and ransomware-as-a-service, whereby it licenses malware to other hackers.

According to Europol, the gang was behind the world’s most deployed ransomware in 2022 — causing billions of euros worth of damage.

Among the high-profile victims are US aerospace giant Boeing, Britain’s Royal Mail and German automotive titan  Continental. Russian entities, however, are notably absent from the list of targets.

It will therefore come as little surprise that the gang’s reputed mastermind is a Russian national.

In his online life, he used the alias LockBitSupp. In the real world, his name is Dmitry Khoroshev.

Dmitry Khoroshev, the administrator and developer of the LockBit ransomware group
Dmitry Khoroshev was unmasked to find new leads about his whereabouts. Credit: NCA

Who and where is LockBit’s leader?

Britain’s National Crime Agency (NCA) unmasked Khoroshev on Tuesday. The agency claimed that he served as the administrator and developer of LockBit.

Khoroshev was also suspected of penning a message declaring support for Donald Trump. The dubious endorsement emerged in February after a coalition of law enforcement agencies disrupted LockBit’s operations. The takedown compromised the gang’s “primary platform and critical infrastructure,” Europol said.

Just days later, LockBit’s purported leader wrote a post on the Dark Web blaming their “personal negligence and irresponsibility” for the infiltration. The message also included an apparent list of corporate victims and that dubious endorsement of Trump.

Khoroshev was so confident of his anonymity that he once promised a $10mn (€9.3mn) reward to anyone who could reveal his identity. By showing his face, the NCA has removed his veil.

The agency also hopes that the unmasking will lead to evidence about his whereabouts.

“The NCA has clearly come to a series of dead ends in their investigations and the unmasking of LockBit’s leader will potentially reignite a flurry of new leads,” Jake Moore, Global Cybersecurity Advisor at Slovakian software firm ESET, told TNW.

Graphic of the cybercrime agencies who have taken down Lockbit
The February  which includes the takedown of 34 servers spanning Europe, the US, and Australia. Credit: NCA

Ransomware risks and rewards

US authorities have also promised up to $10mn (€9.3mn) for information that leads to Khoroshev’s arrest and/or conviction.

Due to his anonymity, the reward is likely targeted at Khoroshev’s inner circle, Moore said.

The eye-catching unmasking via a depixelating GIF could also encourage internet sleuths to join the case. But these very public tactics do come with a risk.

“Unmasking a cybercriminal can be very powerful but it can also have an adverse effect by flaming the ego of the individuals and bringing great kudos to their operations in underground forums and certain peer groups,” Moore said.

“However, the NCA has clearly weighed this up and feel certain that this is now the time to bring in public assistance.”

Moore expects the NCA to now quickly ascertain Khoroshev’s whereabouts. The bigger challenge will be gaining enough evidence to prosecute the LockBit leader and his ransomware gang.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with