(Bloomberg) -- For years now, the leader of the ransomware gang LockBit, known as LockBitSupp, has been a provocative if mysterious presence on dark web forums.

He has goaded law enforcement authorities and aggressively recruited hackers from rival gangs. But his identity remained a mystery.

On Tuesday, however, US authorities revealed what they said was the identity of LockBit’s leader while indicting him for hacking-related crimes that carry a maximum penalty of 185 years in prison. 

His name is Dmitry Yuryevich Khoroshev, a 31-year-old Russian national, described as the “creator, administrator and developer” behind the LockBit ransomware gang from its inception in 2019 to the present, according to US officials. 

LockBit is accused of attacking at least 2,500 victims, which included at least 1,800 located in the US, according to the indictment. Khoroshev and affiliate hackers associated with his gang successfully extorted approximately $500 million in ransom payments from their victims, the indictment alleges, adding that Khoroshev himself pocketed at least $100 million.

Khoroshev remains at large, and the State Department offered a $10 million reward for information leading to his arrest or conviction. His smiling photo is now posted on a LockBit dark web page that was previously commandeered by law enforcement.

 

“The LockBit ransomware group represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals,” FBI Director Christopher Wray said in a statement. “The charges announced today reflect the FBI’s unyielding commitment to disrupting ransomware organizations and holding the perpetrators accountable.”

The action is the latest attempt from law enforcement agencies to disrupt the activities of LockBit, a prolific hacking gang that has extorted millions of dollars in payments from its victims. Since 2020, the group has targeted thousands of companies, including the Industrial & Commercial Bank of China, Boeing Co. and the UK’s Royal Mail.

LockBit’s success was due in part to exploiting the “ransomware-as-a-service” model, where hacking group offers its malicious code to so-called affiliates who do the actual hacking and kick back a share of the illicit extortion payments. The group and its affiliates often demanded huge payments from their victims. In one case, the indictment alleges, LockBit demanded a $200 million payment from a multinational aeronautical and defense corporation headquartered in Virginia. It’s not clear whether the company, which isn’t named, paid out any amount.

Read More: LockBit’s Ransomware Empire Takes a Heavy Hit: Cyber Bulletin

Based on an analysis of data seized from LockBit’s servers, investigators have determined that the group – between June 2022 and February 2024 alone – may have been responsible for as many as 7,000 attacks, according to the UK’s National Crime Agency, which said that the top five countries affected were the US, UK, France, Germany and China. The gang targeted more than 100 hospitals and health-care companies, the UK agency said in a statement.

British and American law enforcement agencies had previously threatened to unmask “LockBitSupp,” who had acted as the group’s vocal spokesperson. They suggested that they knew the kind of car he was driving – a Mercedes – and hinted at his location, in Russia. But they had refrained from naming him. Khoroshev was so confident in his anonymity that an online post in January, he said he would pay $10 million to anyone who could discover his identity.

In a message sent to Bloomberg News prior to the latest law enforcement action, the LockBit spokesperson — who identified himself as LockBitSupp — had vowed to continue his criminal campaign. The gang’s income was “down about 30%” since law enforcement seized some of the group’s websites in February, he said. “But that won’t stop me from continuing to work,” they said. “My business expense is paying for servers, one payout from one company is enough to pay for servers for 5 years, so even if my business becomes completely unprofitable I will continue to work just for fun.”

The spokesperson didn’t respond to requests for comment on Tuesday. But he changed his status on an encrypted messaging app to read, in Russian, “The FBI is bluffing, I’m not Dimon. I feel sorry for the real Dimon.” (Dimon is a colloquial form of Dmitry.)

The charges against Khoroshev are the latest effort by a coalition of law enforcement agencies to curb ransomware, which has flourished in recent years in part because the leaders of many of the hacking gangs are outside of the reach of Western law enforcement.

Read More: Russia’s LockBit Disrupted But Not Dead, Hacking Experts Warn

In February, the FBI, the UK National Crime Agency and other law enforcement agencies seized some of LockBit’s websites. Within a week of the takedown, LockBit relaunched a version of its dark web page. The gang has since posted more than 120 alleged victims on the website, which remains active. However, law enforcement officials say that many of the victims posted on LockBit’s new website were compromised before the takedown, while some of the other hackers were carried out by other groups.

The UK’s National Crime Agency has observed a 70% reduction in LockBit attacks in the country, an NCA official said in a phone briefing ahead of Tuesday’s announcement. As of last week, the official said, there had been six known LockBit attacks in the UK since mid-February and the targets were smaller organizations. That was indicative of hackers leaving LockBit or getting out of deploying ransomware altogether, the official said.

“We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and credibility among the criminal community,” said Graeme Biggar, the NCA’s director general. “The group’s attempt at rebuilding has resulted in a much less sophisticated enterprise with significantly reduced impact.”

International law enforcement agencies have collectively reached out to about 3,800 of the gang’s victims – about 1,200 of whom are based in the US — offering help to unlock hacked computers, according to an FBI official. (During the February takedown, the agencies were able to seize LockBit’s decryption keys.)

Police are combing through the huge volume of data they say they gathered from LockBit’s internal servers in an effort to identify people who were working with the gang – not just hackers, but also software developers and money launderers, according to the NCA official.

Investigators obtained a list of nearly 200 “affiliates” involved with LockBit, who conducted hacks using generic usernames such as “John” and “Boyce.” The NCA official added that the agency has figured out the identities of a good number of the suspected hackers. While some were based in Russia, he said, some were in other locations that are more accessible to Western law enforcement agencies.

(Writes through entire story with additional details.)

©2024 Bloomberg L.P.