fotokitas - stock.adobe.com

LockBit gang members arrested in Poland and Ukraine

The UK’s National Crime Agency and its global partners have shared more details on their audacious takedown of the LockBit ransomware operation, including news of two arrests

Two suspected cyber criminals associated with the LockBit ransomware operation have been arrested in Poland and Ukraine as part of the audacious coordinated takedown of the crew’s infrastructure in Operation Cronos, news of which broke late on Monday 19 February.

The arrests were made at the request of the French judicial authorities and formed part of a 10-country multinational operation, led by the UK’s National Crime Agency (NCA) and involving the FBI and others. Other international arrest warrants and indictments have also been made by the French and US authorities.

The months-long operation led to the compromise of LockBit’s primary platform and the critical infrastructure that enabled its four-year crime spree.

The gang’s technical infrastructure is now under the control of the NCA, as is its dark web leak site on which they hosted the data they stole. The NCA said it is also in possession of LockBit’s source code, some victim data and, crucially, decryption keys, which it plans to use to help the gang’s victims. 

Other assets seized include multiple servers used by affiliates located across Europe and the US, including in the UK, and the gang’s bespoke exfiltration tool, StealBit, which was used to steal data.

The authorities have also frozen 200 cryptocurrency accounts linked to the gang and seized “vast” amounts of data to support future activities, including, it is hoped, targeting the leaders, developers and affiliates of LockBit.

“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the agency and our partners,” said NCA director general Graeme Biggar.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.

“We have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out”
Graeme Biggar, NCA

“As of today, LockBit are locked out. We have damaged the capability and, most notably, the credibility of a group that depended on secrecy and anonymity.

“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them,” said Biggar.

US attorney general Merrick Garland added: “For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, US and UK law enforcement are taking away the keys to their criminal operation.

“And we are going a step further – we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data. LockBit is not the first ransomware variant the justice department and its international partners have dismantled. It will not be the last.”

Indictments against LockBit conspirators

The US Department of Justice (DoJ) has also today unsealed indictments against two individuals – Artur Sungatov and Ivan Kondratyev (aka Bassterlord), both Russian nationals – who used LockBit ransomware against victims across the country. Additional criminal charges against Kondratyev are also being unsealed in the Northern District of California relating to a specific incident in 2020.

Sungatov and Kondratyev are accused of joining in the global LockBit conspiracy to develop and deploy ransomware and extort payments from victim organisations.

Their indictment brings the total number of individuals charged over LockBit activity in the US to five, following indictments unsealed in the past 18 months against three other Russian nationals – Mikhail Vasiliev, Mikhail Pavlovich Matveev and Ruslan Magomedovich Astamirov.

Vasiliev was arrested in Canada and charged in 2022, and his extradition to the US is pending. Matveev, who is suspected of attacking numerous victims, including the Metropolitan Police Department of the city of Washington DC, remains at large and has a $10m bounty on his head. Astamirov is in custody in the US and awaiting trial.

Read more about the LockBit takedown

Read more on Hackers and cybercrime prevention