INVESTIGATION: Dmitry Khoroshev aka LockBit

[Mutt]

Introduction: Why this investigation is important​

In February 2024, the FBI and NCA publicly accused Dmitry Khoroshev from Voronezh of allegedly being LockBitSupp, the leader of one of the most notorious cybercriminal groups of our time. This statement caused a wide resonance in the professional community. I conducted an independent OSINT investigation based on unique and previously unpublished data, such as recovered messages from Khoroshev's Telegram account, data on the purchase of airline tickets, data on hotel stays, records of real estate transactions, employment and salaries of all members of his family. The results of the analysis do not simply refute the official version - they make it untenable from the point of view of logic, facts and common sense.

1. Key Findings: What I Discovered​

1.1. Real residential and living addresses - no staging​

Residential and delivery addresses:

• Voronezh, Kaliningradskaya st., 108, apt. 61
• Voronezh, Shishkova st., bldg. 72/5, apt. 165
• Voronezh, Pobedy blvd, 50, apt. 89
• Voronezh, Antonova-Ovseenko st., 31 (pick-up point)
• Voronezh, Mazlumova st., 25a (office building)

Housing characteristics: All properties are typical panel high-rise buildings or standard new buildings without security, barriers, concierges, underground parking. There is no attempt to hide the real address of residence. All orders (food, equipment, baby products, etc.) are made to these same addresses from the numbers of Dmitry and his wife. This is not a "legend", but real life.

1.2. Economy and consumption style​

Order details:

• The average bill is 500–2,000 rubles, large one-time purchases (up to 120,000 rubles) are home appliances.
• There is not a single purchase of luxury brands, expensive equipment, elite goods, or foreign deliveries.

Travel and Hotels:

• Economy class air tickets only, cheapest fares (V, X, O, U, B, E).
• All hotels are middle class, three stars (Sochi, Crimea).
• The only episode is Mövenpick Moscow Taganskaya (14,000 rubles/night) - a budget five-star hotel, an exception in 5 years.

Mining farm:

• Dmitry is assembling a farm on 6×3080 Ti + 6×3060 (approximate price is 10 thousand dollars), discussing in Telegram groups how to save 2-3 thousand rubles per year on electricity.
• Communication style: enthusiastic miner, counting every penny and worrying that the farm will not pay off.

2. Financial and property profile: no signs of wealth​

2.1. Real estate and cars​

• Apartment 81.4 m² in a nine-story panel building, shared ownership with parents and brother, sold in 2024.
• The wife owned an apartment of 43.5 m² and a small commercial space (80.4 m²).
• The land plots are ordinary summer cottages, not elite ones, costing 500 thousand–1.5 million rubles at market prices.
• Cars: Mazda 6 (2017), Geely Coolray (2023) — middle class, no luxury cars.

2.2. Financial activity​

• VIPGEO LLC: revenue for 2022 - RUB 1.01 million, net profit - RUB 29,000, salary - RUB 17,000/month.
• The company participated in 9 arbitration cases as a defendant, lost a significant portion (about 89%) with debts and collections (~935 thousand ₽ total amount of claims)
• There were 4 enforcement proceedings, including completed ones, the amount of claims as of April 2025 is about 93,600 ₽
• The company was liquidated with a note about the unreliability of the data , removed from the Unified State Register of Legal Entities on May 19, 2025.

3. Social and family context​

• Mother is a kindergarten teacher, father is a welder/mechanic, brother is convicted of drug offenses, wife is a salesperson at the grocery supermarket "Magnet".
• Everyone lives in an ordinary nine-story panel building, with no signs of elite consumption.

4. Digital footprint, technical and behavioral analysis​

• Phone +7 952 102-02-20 — used for all orders, bank notifications, government services, delivery, equipment, household goods. There is no attempt at anonymization, changing numbers, forged documents.
• Activity in Telegram - discussion of mining, shopping, saving.
• Important: Analysis of digital traces shows that Khoroshev is not just an "IT guy". His technical background and past activity indicate deep immersion in the field of malware development, participation in specialized forums, mastery of C/C++ and cryptography skills. In 2010-2016, he was known under various pseudonyms as an author and seller of malware, participated in discussions on bypassing Windows protections, and developed tools for the cybercriminal market.
• After 2016, his underground activity sharply declined, and his digital footprint became as mundane and transparent as possible.

5. Comparative analysis: why the FBI version does not stand up to criticism​

5.1 Profile Mismatch​

• No signs of wealth: There are no traces of large assets, luxury real estate, expensive cars, foreign trips, offshore companies, or crypto wallets in any aspect of Khoroshev’s life.
• No attempts to hide everyday life: All orders, deliveries, reservations are to real addresses that are easy to find.
• No signs of operational security: Open digital footprint, lack of basic precautions, which is not typical for the leader of a RaaS group.

5.2. Alternative versions​

• Technical contractor or architect: Khoroshev may have been brought in as a developer or consultant in the early stages, but did not manage the group or control the finances.
• "Drop" or facade: His digital footprint could have been used by the real leader of LockBit to divert attention.
• FBI Mistake: The FBI did not have access to Russian databases and household data, so it made a conclusion based on superficial digital matches.

6. Unique facts of the investigation​

• None of the residential addresses meet even the minimum level of security for a man allegedly owning tens of millions of dollars.
• All major purchases are household, not investment. There is not a single attempt to invest money in luxury real estate, expensive cars, or foreign assets.
• A mining farm is the most he could afford. Even here, there is constant saving, assembly errors, and discussions of payback at the level of 2–3 thousand rubles per year.
• Even Khoroshev's brother lives a little better - he has a 2019 Audi A4 and a mortgaged apartment. Dmitry himself is a man with a technical background and experience in the cyber underground, but no signs of wealth.

7. Conclusion: Dmitry Khoroshev is not LockBitSupp​

My analysis based on unique and verifiable data shows that Dmitry Khoroshev is not the leader of LockBitSupp. His digital footprint, finances, and lifestyle do not match the profile of a hacker group leader. The FBI version is wrong. However, given his technical background, experience working with malware, and activity in the cybercriminal community in 2010-2016, it cannot be ruled out that Khoroshev could have been involved in the early stages of LockBit development - as a technical architect, contractor, or consultant. After 2016, his role appears to have been minimal or formal, and his digital footprint has become as mundane and transparent as possible. Most likely, Khoroshev is a front man, a technical contractor, or simply a loser whose digital footprint was used by the real organizer of LockBit.

8. Appendices and supporting materials - in the archive and at the link https://justpaste.it/i0e64​

• Dmitry Khoroshev's dossier (published earlier https://justpaste.it/50dx0)
• Khoroshev's timeline and phone numbers
• Dossier of Alexander Khoroshev (brother) (in archive)
• Dossier of Ekaterina Kurdyumova-Khorosheva (wife) (in archive)
• Details of orders, calls, deliveries (full version - in the archive)
• Photos of all houses by delivery addresses and hotels
• Booking and flight ticket data
• Dossier on the Khoroshev family (in archive)
• Recovered messages from Telegram
• Brief analytical report on Khoroshev's mining farm
• Brief analytical report on the company Khorosheva OOO VIPGEO
• Brief analytical report on the Khoroshevs' real estate
• RAW data on breakouts (in archive)
• link to archive: (upon request)

9. Recommendations for the professional community​

• Conduct OSINT investigations taking into account real household and property traces, and not just digital matches.
• Check the versions of official bodies regarding the everyday and financial solvency of the persons involved.
• Use a comprehensive approach: analyze not only digital but also offline connections, biography, environment, lifestyle.

P.S. All materials are available for verification. If you have additional data or questions, please contact me to continue the investigation.

Note​

This investigation is based solely on the analysis of open sources, digital traces, official registries and verified data. None of the facts presented were fabricated or distorted. All conclusions can be verified by independent experts.

Contacts for communication:

X

Leges Artis

t.me

https://x.com/GangExposed_RU

Контрольный выстрел: Conti Leaks

Разоблачение киберпреступников. Эксклюзивные данные по Trickbot, Conti, Black Basta. Расследование личностей за которых объявлена награда $10M. Мы ставим точку в истории Conti.

t.me