LockBit Hacker Suspects Unmasked in Global Law Enforcement Crackdown

Authorities announced the arrests of even more members of the notorious LockBit ransomware gang. Furthermore, the gang’s infrastructure was seized, and several alleged key actors were unmasked as part of a coordinated effort.

Law enforcement agencies from the UK, US and Europol ran a joint operation leading to the criminal enterprise’s disruption. LockBit is responsible for attacking more than 2,500 entities in over 120 countries.

Authorities Used Previously Seized Websites in Joint Operation

Authorities weaponized previously seized websites that were once in LockBit’s possession to unmask and arrest several individuals accused of involvement in the group’s malicious operations.

Among them was Aleksandr Viktorovich Ryzhenkov, a Russian national now publicly identified as a key figure not only in LockBit, but also in EvilCorp, another infamous cybercrime syndicate.

Ryzhenkov allegedly operated under the moniker “Beverley” and crafted more than 60 ransomware builds for LockBit. He was charged for his role in various cybercrime operations. Despite extortion attempts totaling at least $100 million, the charges brought against him by the US Department of Justice pertain to attacks involving BitPaymer ransomware rather than LockBit. His alleged ties to Evil Corp—a group with known links to Russian government cyberespionage—further elevate the significance of his arrest.

Three More Arrested in the UK and Spain

In the UK, authorities apprehended two individuals accused of supporting a LockBit affiliate. Concurrently, in Spain, law enforcement detained the suspected administrator of a bulletproof hosting service, which led to the seizure of nine servers linked to LockBit and, subsequently, the disruption of the gang’s infrastructure.

Authorities further alleged that Ryzhenkov, also known by the alias “mx1r,” had direct ties to UNC2165, a group believed to have evolved from EvilCorp. As the right-hand man of Evil Corp’s leader, Maksim Yakubets—who has a $5 million bounty on his head—Ryzhenkov was allegedly deeply embedded in this profit-driven organization, orchestrating large-scale ransomware campaigns and generating significant financial gains from their victims.

Operation Cronos Aims to Shut Down LockBit for Good

This series of arrests and disruptions is part of an extensive effort known as Operation Cronos. This joint law enforcement operation began in February and continues to chip away at the LockBit ransomware group.

Earlier this year, investigators disclosed Dimitry Yuryevich Khoroshev's real identity. Khoroshev is the alleged mastermind behind LockBit, also known as “LockBitSupp.” He is accused of amassing over $100 million from the gang’s victims. He is currently at large in Russia, and authorities are offering a $10 million reward for information leading to his capture.

LockBit-Linked Attack Volume in Freefall

Despite the high-profile arrests and seizures, LockBit continues to limp along, albeit with diminished capacity.

Earlier this year, in May, the group briefly resurfaced as the most active ransomware operation, though some experts believe this resurgence was more of a smokescreen to hide internal turmoil.

The number of attacks claimed by LockBit has dropped significantly in the past few months, with their last major announcement—a supposed hack of the US Federal Reserve—proven false when only data from a minor financial firm was leaked.