New details have brought more clarity to the case of the "great and terrible" LockBitSupp.
Last week, the United States, along with the United Kingdom and Australia, filed charges and imposed sanctions against Dmitry Khoroshev, who is considered the leader of the well-known extortion ring LockBit.
The real leader of LockBit, known online under the pseudonym "LockBitSupp", quickly commented on the statements of law enforcement officers, claiming that the latter were mistaken. Ostensibly, he is no good at all, and he feels sorry for this guy in connection with the possible problems that he may now face due to false accusations in connection with LockBit.
Researcher Brian Krebs from the KrebsOnSecurity portal decided to personally find out what facts the authorities of three countries operated with when they made their accusations. In this article, we will briefly review its investigation and the conclusions reached by the cyber expert, based on the information of law enforcement officers and other independent researchers.
On May 7, the U.S. Department of Justice indicted Khoroshev on 26 criminal counts, including extortion, fraud, and conspiracy. The authorities claim that Khoroshev created, used and distributed the LockBit ransomware virus among his affiliates, having managed to earn more than $100 million during the group's activity. Meanwhile, LockBit's total revenue over the four years of its existence was about half a billion dollars.
Federal investigators say that Khoroshev operated LockBit on the RaaS (extortion as a service) model, receiving 20% of the ransom amount, and the remaining 80% went to affiliates who spread the virus. Financial sanctions imposed on Khoroshev by the US Treasury Department include his known email addresses, home address, passport number, and even tax ID.
According to the data DomainTools.com, email address " sitedev5@yandex[.ru" was used to register several domains, including a business registered in the name of Khoroshev, called "tkaner [.] com", which is a blog about clothing and fabric.
A search on Constella Intelligence for the phone number listed in the Tkaner registration documents revealed several official documents confirming the ownership of the number by Dmitry Yuryevich Khoroshev.
Another domain registered to this phone number is "stairwell[.]ru", previously advertised wooden stairs, but now it does not function. DomainTools reports indicate that this domain for several years contained the name "Dmitrij Ju Horoshev" and the email address "pin@darktower[.]su".
According to Constella Intelligence, this address was used in 2010 to register the account of Dmitry Yuryevich Khoreshev from Voronezh with the hosting provider FirstVDS. In addition, Intel 471 discovered that the same address was also used by a Russian-speaking participant under the nickname "Pin" on the English-language cybercrime forum Opensc, where "Pin" was particularly active in 2012 and wrote about data encryption problems and bypassing Windows security mechanisms.
On the Antichat forum, the Pin participant recommended contacting them via ICQ under the number 669316. According to Intel 471, this ICQ number was registered on the Zloy forum in April 2011 under the name "NeroWolfe" with the address "d.horoshev@gmail [.] com" and an IP address from Voronezh.
The NeroWolfe account used the same passwords as on "stairwell.ru Between 2011 and 2015, NeroWolfe introduced himself as a system administrator and C++ programmer, and offered services for installing malware and developing new ways to hack the web.browsers.
In 2019, a user named "Putinkrab" started offering the source code of ransomware viruses on the XSS, Exploit, and UFOLabs cybercrime forums. In April 2019, it launched an affiliate program with a 20/80 buyout split in favor of partners. The last post from a user with this nickname was sent on August 23, 2019.
The Ministry of Justice says that five months later the LockBit partner project was officially launched, which, allegedly, was led by Khoroshev, but under the pseudonym "LockBitSupp". In addition, the original LockBit cryptographer was written in the C programming language, in which "NeroWolfe" was an expert.
It is not yet proven that Khoroshev is definitely a "LockBitSupp", but all his activities over the years indicate deep involvement in various cybercrime schemes with botnets, data theft and malware. Khoroshev demonstrated proficiency in encryption and creating stealth programs, which clearly made him in demand in the RaaS industry.
In February 2024, the FBI seized LockBit's cybercrime infrastructure on the darknet after a lengthy "Cronos" operation. Given the charges and sanctions against Khoroshev and other LockBit members, the authorities probably have extensive information about the group's activities. They could hardly have made a mistake, given such numerous and obvious connections with Khoroshev.
In addition, shortly after the accusations against Khoroshev, some independent security researchers uncovered dozens of credit cards and bank accounts associated with him in Telegram. All of them, for sure, would be far from superfluous for covert withdrawal of funds after large-scale extortionate operations.
Last week, the United States, along with the United Kingdom and Australia, filed charges and imposed sanctions against Dmitry Khoroshev, who is considered the leader of the well-known extortion ring LockBit.
The real leader of LockBit, known online under the pseudonym "LockBitSupp", quickly commented on the statements of law enforcement officers, claiming that the latter were mistaken. Ostensibly, he is no good at all, and he feels sorry for this guy in connection with the possible problems that he may now face due to false accusations in connection with LockBit.
Researcher Brian Krebs from the KrebsOnSecurity portal decided to personally find out what facts the authorities of three countries operated with when they made their accusations. In this article, we will briefly review its investigation and the conclusions reached by the cyber expert, based on the information of law enforcement officers and other independent researchers.
On May 7, the U.S. Department of Justice indicted Khoroshev on 26 criminal counts, including extortion, fraud, and conspiracy. The authorities claim that Khoroshev created, used and distributed the LockBit ransomware virus among his affiliates, having managed to earn more than $100 million during the group's activity. Meanwhile, LockBit's total revenue over the four years of its existence was about half a billion dollars.
Federal investigators say that Khoroshev operated LockBit on the RaaS (extortion as a service) model, receiving 20% of the ransom amount, and the remaining 80% went to affiliates who spread the virus. Financial sanctions imposed on Khoroshev by the US Treasury Department include his known email addresses, home address, passport number, and even tax ID.
According to the data DomainTools.com, email address " sitedev5@yandex[.ru" was used to register several domains, including a business registered in the name of Khoroshev, called "tkaner [.] com", which is a blog about clothing and fabric.
A search on Constella Intelligence for the phone number listed in the Tkaner registration documents revealed several official documents confirming the ownership of the number by Dmitry Yuryevich Khoroshev.
Another domain registered to this phone number is "stairwell[.]ru", previously advertised wooden stairs, but now it does not function. DomainTools reports indicate that this domain for several years contained the name "Dmitrij Ju Horoshev" and the email address "pin@darktower[.]su".
According to Constella Intelligence, this address was used in 2010 to register the account of Dmitry Yuryevich Khoreshev from Voronezh with the hosting provider FirstVDS. In addition, Intel 471 discovered that the same address was also used by a Russian-speaking participant under the nickname "Pin" on the English-language cybercrime forum Opensc, where "Pin" was particularly active in 2012 and wrote about data encryption problems and bypassing Windows security mechanisms.
On the Antichat forum, the Pin participant recommended contacting them via ICQ under the number 669316. According to Intel 471, this ICQ number was registered on the Zloy forum in April 2011 under the name "NeroWolfe" with the address "d.horoshev@gmail [.] com" and an IP address from Voronezh.
The NeroWolfe account used the same passwords as on "stairwell.ru Between 2011 and 2015, NeroWolfe introduced himself as a system administrator and C++ programmer, and offered services for installing malware and developing new ways to hack the web.browsers.
In 2019, a user named "Putinkrab" started offering the source code of ransomware viruses on the XSS, Exploit, and UFOLabs cybercrime forums. In April 2019, it launched an affiliate program with a 20/80 buyout split in favor of partners. The last post from a user with this nickname was sent on August 23, 2019.
The Ministry of Justice says that five months later the LockBit partner project was officially launched, which, allegedly, was led by Khoroshev, but under the pseudonym "LockBitSupp". In addition, the original LockBit cryptographer was written in the C programming language, in which "NeroWolfe" was an expert.
It is not yet proven that Khoroshev is definitely a "LockBitSupp", but all his activities over the years indicate deep involvement in various cybercrime schemes with botnets, data theft and malware. Khoroshev demonstrated proficiency in encryption and creating stealth programs, which clearly made him in demand in the RaaS industry.
In February 2024, the FBI seized LockBit's cybercrime infrastructure on the darknet after a lengthy "Cronos" operation. Given the charges and sanctions against Khoroshev and other LockBit members, the authorities probably have extensive information about the group's activities. They could hardly have made a mistake, given such numerous and obvious connections with Khoroshev.
In addition, shortly after the accusations against Khoroshev, some independent security researchers uncovered dozens of credit cards and bank accounts associated with him in Telegram. All of them, for sure, would be far from superfluous for covert withdrawal of funds after large-scale extortionate operations.
