Shutter2U - stock.adobe.com

NCA unmasks LockBitSupp cyber gangster who toyed with pursuers

The NCA and its partners have named the administrator of the LockBit ransomware gang, LockBitSupp, as Dmitry Khoroshev, who now faces sanctions and criminal charges

The National Crime Agency (NCA), alongside the global partner agencies that participated in Operation Cronos, the operation against the LockBit ransomware gang, have formally named the crew’s leader, administrator and key developer of LockBitSupp as Dmitry Khoroshev.

Khoroshev, who at one point teased his pursuers by offering a $10m reward to anybody who could successfully reveal his true identity, will be subject to a series of asset freezes and travel bans, and has also today been charged in the US with 26 offences relating to fraud, damage to protected computers and extortion. The US authorities are also offering a multimillion-dollar reward for information that might lead to his arrest and extradition.

“These sanctions are hugely significant and show that there is no hiding place for cyber criminals like Dmitry Khoroshev, who wreak havoc across the globe,” said NCA director Graeme Biggar. “He was certain he could remain anonymous, but he was wrong.

“We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and credibility among the criminal community,” he added. “The group’s attempt at rebuilding has resulted in a much less sophisticated enterprise with significantly reduced impact.

“Today’s announcement puts another huge nail in the LockBit coffin and our investigation into them continues.

“We are also now now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on schools, hospitals and major companies around the world,” said Biggar.

“Working with our international partners, we will use all the tools at our disposal to target other groups like LockBit, expose their leadership and undermine their operations to protect the public.”

Operation Cronos

The operation against the notorious LockBit ransomware gang, Operation Cronos, unfolded on 19 February 2024 in an NCA-led operation that saw the agency infiltrate its network and take over its services, including its dark web leak site.

The NCA today said that the ransomware-as-a-service operation conducted over 7,000 cyber attacks between June 2022 and February 2025, with victims including over 100 hospitals and healthcare organisations, and at least 2,110 victims being forced into some degree of negotiation.

Out of 194 affiliates identified as using LockBit’s services up until February 2024, this has now fallen to 69 as the group struggles to rebuild. Of those active affiliates, 148 conducted attacks and 119 engaged in negotiations with victims, although up to 114 affiliates, who would have paid thousands to join LockBit’s programme, never actually made any money from their criminality.

It also added that it had found multiple instances where the decryptor supplied by LockBit to victims that did pay never worked, and many others where LockBit failed to keep its “promise” to delete stolen data once paid.

The NCA said it was now in possession of over 2,500 decryption keys and was continuing to contact LockBit’s victims to offer support. It has so far identified and contacted 240 victims in the UK.

LockBit’s rebuild not going well

Meanwhile, the group’s attempt to rebuild over the past couple of months appears to be going badly, with the gang still running at limited capacity, and its new leak site being used to publicise victims attacked before the takedown, as well as trying to take credit for the crimes of others.

The NCA’s latest data suggests that the number of monthly LockBit attacks in the UK has dropped by 73% since late February, and those attacks that are occurring are being carried out by less sophisticated actors with much less impact.

“Since Operation Cronos took disruptive action, LockBit has been battling to reassert its dominance and, most importantly, its credibility within the cyber criminal community,” said Don Smith, vice-president of SecureWorks’ Counter Threat Unit.

“The psychological element of the action taken by law enforcement was extremely effective, the group’s efforts to re-establish its previous reputation have not gone particularly well. Today’s unmasking of Dmitry Khoroshev aka LockBit Supp, demonstrates the ability of law enforcement to deny cyber criminals the safety blanket of anonymity and place them at risk of arrest and prosecution if they travel out with their home country.”

Read more about the LockBit takedown

  • 19 February 2024: The notorious LockBit ransomware crew has been disrupted in an international law enforcement sting led by the UK’s National Crime Agency.
  • 20 February: The UK’s National Crime Agency and its global partners have shared more details on their audacious takedown of the LockBit ransomware operation, including news of two arrests.
  • 20 February: Reaction to the takedown of the LockBit ransomware gang is enthusiastic, but tempered with the knowledge that cyber criminals are often remarkably resilient.
  • 22 February: The LockBit ransomware gang was already on the ropes prior to the NCA-led takedown, according to security researchers.
  • 23 February: The NCA has teased details of the identity of LockBit's main admin via the gang’s compromised dark web site, and hinted that he has been engaging with law enforcement.
  • 26 February: The LockBit gang’s ringleader resurfaces with new infrastructure and new victims, claiming to have shrugged off a multinational police sting.
  • 12 March: Cyber experts confirm LockBit activity against vulnerable ScreenConnect instances but found found significant differences between previous LockBit attacks.
  • 3 April: LockBit is struggling to resume operations in part due to the name-and-shame aspect of the international law enforcement operation responsible for the gang's disruption.

Next Steps

What LockBitSupp charges mean for ransomware investigations

Read more on Hackers and cybercrime prevention