LockBit Mystery: Unmasking the True Identity Behind the Ransomware Gang
Last week, the United States, in conjunction with the United Kingdom and Australia, charged and sanctioned Dmitry Khoroshev, believed to be the leader of the notorious ransomware group LockBit.
The actual leader of LockBit, known online by the pseudonym “LockBitSupp,” swiftly responded to the authorities’ statements, claiming they were mistaken. He insisted he is not Khoroshev and expressed sympathy for the man, who may now face problems due to the false accusations linking him to LockBit.
Brian Krebs, a researcher from KrebsonSecurity, decided to investigate the facts used by the authorities of the three countries in their accusations. In this material, we will briefly review his investigation and the conclusions reached by the cybersecurity expert based on information from law enforcement and other independent researchers.
On May 7, the U.S. Department of Justice charged Khoroshev with 26 criminal counts, including extortion, fraud, and conspiracy. Authorities allege that Khoroshev created, used, and distributed the LockBit ransomware among affiliates, amassing over $100 million during the group’s activity. Meanwhile, LockBit’s total revenue over its four years of existence amounts to approximately half a billion dollars.
Federal investigators claim that Khoroshev operated LockBit under the RaaS (Ransomware as a Service) model, receiving 20% of the ransom amount, with the remaining 80% going to the affiliates spreading the virus. Financial sanctions imposed on Khoroshev by the U.S. Treasury Department include his known email addresses, home address, passport number, and even tax identifier.
According to DomainTools.com, the email address “sitedev5@yandex[.]ru” was used to register several domains, including a business registered in Khoroshev’s name called “tkaner[.]com,” which is a blog about clothing and fabric.
A search on Constella Intelligence for the phone number listed in Tkaner’s registration documents revealed several official documents confirming the number’s ownership by Dmitry Yuryevich Khoroshev.
Another domain registered with this phone number, “stairwell[.]ru,” previously advertised wooden stairs but is no longer operational. DomainTools reports note that this domain contained the name “Dmitrij Ju Horoshev” and the email address “pin@darktower[.]su” for several years.
According to Constella Intelligence, this address was used in 2010 to register an account for Dmitry Yuryevich Khoreshev from Voronezh with hosting provider FirstVDS. Additionally, Intel 471 found that this same address was used by a Russian-speaking participant named “Pin” on the English-language cybercrime forum Opensc, where “Pin” was particularly active in 2012, discussing data encryption and bypassing Windows security mechanisms.
On the Antichat forum, the participant “Pin” recommended contacting him via ICQ with the number 669316. According to Intel 471, this ICQ number was registered on the Zloy forum in April 2011 under the name “NeroWolfe” with the email address “d.horoshev@gmail[.]com” and an IP address from Voronezh.
The “NeroWolfe” account used the same passwords as on “stairwell.ru” and was registered on more than ten other cybercrime forums between 2011 and 2015. “NeroWolfe” described himself as a system administrator and C++ programmer, offering services for installing malware and developing new methods to hack web browsers.
In 2019, a user with the nickname “Putinkrab” began offering ransomware source code on cybercrime forums XSS, Exploit, and UFOLabs. In April 2019, he launched a partnership program with a 20/80 ransom split in favor of partners. The last post from a user with this nickname was sent on August 23, 2019.
The Department of Justice states that five months later, the LockBit partnership project was officially launched, allegedly led by Khoroshev under the pseudonym “LockBitSupp.” Moreover, the original LockBit ransomware was written in the C programming language, in which “NeroWolfe” was an expert.
While it has not been definitively proven that Khoroshev is “LockBitSupp,” all his activities over the years indicate deep involvement in various cybercriminal schemes involving botnets, data theft, and malware. Khoroshev demonstrated expertise in encryption and creating stealthy programs, making him a sought-after figure in the RaaS industry.
In February 2024, the FBI seized LockBit’s cybercriminal infrastructure on the dark web after a prolonged operation dubbed “Cronos.” Considering the charges and sanctions against Khoroshev and other LockBit members, authorities likely possess extensive information about the group’s activities. It seems improbable that they could be mistaken, given the numerous and clear links to Khoroshev.
Furthermore, shortly after the accusations against Khoroshev, some independent security researchers revealed dozens of credit cards and bank accounts associated with him on Telegram. These would undoubtedly be useful for discreetly funneling money after large-scale extortion operations.
