LockBit was not simply the most prolific ransomware group of its era — it was in many ways the most professionally managed. It ran like a corporation: a core developer team maintained the malware and infrastructure, a global network of independent affiliates executed attacks and received 80% of ransom proceeds, and a charismatic administrator known as LockBitSupp communicated publicly, ran marketing campaigns, offered a bug bounty program, and built a brand that was as much about psychological dominance over victims as technical capability. Dismantling that required more than seizing servers.
LockBit's Rise: From ABCD Ransomware to Global Dominance
LockBit emerged in September 2019 under the designation "ABCD ransomware," named for the file extension appended to encrypted files. The rebrand to LockBit came in January 2020 as the group professionalized and centralized communications through a Tor site. What followed was five years of relentless development, affiliate recruitment, and attack volume that made LockBit the single most active ransomware brand in the world for multiple consecutive years.
LockBit 2.0, released in mid-2021, was the first major evolution. It introduced StealBit — a bespoke data exfiltration tool that automated the theft of victim data before encryption, enabling the double-extortion model at scale. The 2021 attack on Accenture — suspected to have involved an insider — demonstrated the group's willingness and ability to target the largest organizations on the planet. An ESXi Locker variant released in October 2021 expanded targeting to Linux and VMware hypervisors.
LockBit 3.0, also known as LockBit Black, arrived in 2022 with further enhancements and a feature no ransomware group had ever offered: a formal bug bounty program. LockBitSupp invited security researchers to submit vulnerability reports in exchange for payments ranging from $1,000 to $1 million. The group also offered $1 million to anyone who could identify the real identity of any LockBit member — an inversion of the security community's own practices and a pointed message about the group's confidence in its anonymity. The offer of a tattoo payment ($1,000 to anyone who got a LockBit tattoo) was marketing theater, but it made global news. LockBit Green, a 2023 variant, incorporated source code from the disrupted Conti ransomware operation.
By 2022, LockBit was the most active global ransomware group by victim count. CISA estimated that, at the peak, LockBit accounted for roughly one in five ransomware breach site posts. The operation had 194 documented affiliates, of whom 119 had deployed attacks. Between June 2022 and February 2024 alone — the period documented in seized infrastructure — more than 7,000 attacks occurred. Over the group's full operational life, it attacked more than 2,500 victims in at least 120 countries, including 1,800 in the United States. Victims included hospitals, schools, critical infrastructure operators, government and law enforcement agencies, and major corporations across every sector. Total ransom extraction is documented by the DOJ at a minimum of $500 million, with broader damage estimates in the billions.
LockBit's affiliate model was distinctive in a key respect: affiliates received ransom payments directly before remitting the group's share. All other major RaaS operations of the period paid operators first and then disbursed to affiliates — a model that created inherent distrust and exit-scam risk. LockBitSupp's decision to pay affiliates first was a deliberate trust-building mechanism that contributed directly to the operation's ability to attract and retain skilled affiliates at scale. Understanding this is essential to understanding why Operation Cronos specifically targeted the group's credibility alongside its infrastructure.
LockBit's claimed ethics rules were another reputation management tool. The group publicly declared targets off-limits — healthcare organizations, government emergency services, and children's hospitals — and in a rare move issued an apology and provided a free decryptor after an affiliate hit the Hospital for Sick Children in Toronto in 2022. Whether these rules were consistently followed by the affiliate network is doubtful; what matters is that they were a PR strategy designed to moderate law enforcement attention and maintain the brand's appeal to affiliates who wanted operational cover.
Operation Cronos: The Technical Seizure
Operation Cronos was a months-long covert investigation led by the UK's National Crime Agency (NCA), working in close coordination with the FBI, Europol, and Eurojust. The taskforce included law enforcement contributions from ten countries: the United Kingdom (NCA, Metropolitan Police, SWROCU), the United States (FBI, DOJ), France (Gendarmerie), Germany (LKA and BKA), Switzerland (Fedpol, Zurich Cantonal Police), Japan (National Police Agency), Australia (Australian Federal Police), Sweden (Swedish Police Authority), Canada (RCMP), the Netherlands (National Police), and Finland (National Bureau of Investigation). Private sector partners including Trend Micro, Prodaft, and Secureworks contributed technical intelligence. The operation's name was a deliberate choice — Cronos, the titan who defeated his father by consuming time itself, was an apt reference for an operation designed to dismantle a group that had believed itself untouchable.
The technical access that made the seizure possible exploited a critical PHP vulnerability, CVE-2023-3824, which can cause a stack buffer overflow leading to memory corruption or remote code execution. LockBitSupp himself later confirmed to forum members that this was the entry vector, and many threat actors in underground forums discussed the irony of a ransomware operator who ran a bug bounty program being compromised through an unpatched web application vulnerability on their own infrastructure.
At 4:00 PM ET on February 19, 2024, law enforcement took simultaneous action across multiple jurisdictions. Over the following 12 hours:
- 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom were seized. 28 additional servers belonging to LockBit affiliates were taken down.
- LockBit's primary data leak site — the dark web platform used for double-extortion — was seized and placed under NCA control.
- The affiliate panel, which affiliates used to manage attacks, configure ransomware builds, and track victim negotiations, was compromised and seized.
- Stealbit — LockBit's bespoke data exfiltration tool, used to automate pre-encryption data theft — was seized along with all its supporting server infrastructure, located across three countries.
- 14,000 rogue accounts involved with data exfiltration or the group's infrastructure were closed.
- 200 cryptocurrency accounts linked to LockBit and its affiliates were frozen, coordinated by Europol.
- Over 1,000 decryption keys were obtained from seized systems, enabling victim recovery without ransom payment.
- Two LockBit affiliates were arrested — one in Poland, one in Ukraine — as part of Europol-coordinated actions running concurrently with the infrastructure seizure.
- Two indictments were unsealed by the DOJ against Russian nationals Artur Sungatov and Ivan Kondratyev (alias Bassterlord) for deploying LockBit against US businesses and international victims.
The NCA also seized LockBit's source code, including LockBit-NG-Dev — an in-development version of the ransomware that Trend Micro subsequently analyzed. Its key finding was that the new version was being rewritten in .NET core, a platform-agnostic framework, signaling LockBit's intent to further broaden its cross-platform targeting capability before the operation interrupted that development.
The Psychological Operations Campaign
What distinguished Operation Cronos from previous ransomware disruptions was the decision not simply to seize LockBit's infrastructure but to use it against the group. Rather than displaying a standard law enforcement seizure notice, the NCA repurposed LockBit's own leak site — maintaining its visual format — and filled the victim cards where stolen data had previously been listed with a series of countdown timers. Each timer led to a press release, indictment, arrest announcement, or operational disclosure. Law enforcement turned LockBit's signature extortion aesthetic — the countdown to data release — into a countdown to its own exposure.
"This NCA-led investigation is a ground-breaking disruption of the world's most harmful cybercrime group. Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out." — NCA Director General Graeme Biggar, February 20, 2024
Among the announcements cascading from the seized site was a card with a countdown labeled "Who is LockBitSupp?" — a direct reference to LockBitSupp's own $1 million offer for anyone who could expose a LockBit member's identity. The reveal card was populated not with a name but with details about how much law enforcement knew: where LockBitSupp lived, what car they drove, and — most damaging — a suggestion that LockBitSupp was cooperating with law enforcement. The last claim, whether true or not, was designed to sow distrust between LockBitSupp and the affiliate network. For a RaaS operation that depended entirely on affiliate trust, the suggestion of administrator cooperation with law enforcement was existentially damaging.
The seized systems also revealed intelligence that was weaponized in the same media campaign: that LockBit had retained victim data after receiving ransom payments — directly contradicting the promises LockBit had made to victims that paying would result in deletion. Exposing this lie on LockBit's own platform served a dual purpose: it undermined LockBit's credibility with future victims (reducing the incentive to pay) and it demonstrated to affiliates that their operator had been dishonest with the victims they had extorted, raising questions about whether the operator was equally dishonest with them.
LockBitSupp was not deterred from responding. Within days, a new leak site was announced with "fbi.gov" listed as the first victim — a direct provocation. When the countdown expired, no FBI data appeared; instead, LockBitSupp published a lengthy statement declaring intent to continue operations and sought to purchase access to .gov, .edu, and .org domains as a public signal of retaliatory targeting. The revival brought additional scrutiny rather than restoring reputation: Trend Micro's April 2024 analysis found that two-thirds of victims posted to LockBit's reconstituted leak site were re-listed older victims rather than new compromises, inflating volume figures with recycled data. Attack volume in the UK fell 73% post-disruption relative to pre-Cronos monthly averages.
May 2024: LockBitSupp Unmasked
The "Who is LockBitSupp?" countdown card had promised a reveal. On May 7, 2024, the DOJ delivered it. A 26-count indictment unsealed in the District of New Jersey named Dmitry Yuryevich Khoroshev, a Russian national, as the alleged primary creator, developer, and administrator of LockBit from its inception in approximately September 2019 through May 2024. Khoroshev had operated publicly under the alias LockBitSupp and online handles including "LockBit" and "putinkrab."
The indictment alleged that Khoroshev personally received at least $100 million in disbursements from his 20% developer share of all ransom payments made to LockBit affiliates during the operation's lifespan. The charges included one count of conspiracy to commit fraud and related activity in connection with computers, one count of conspiracy to commit wire fraud, eight counts of intentional damage to a protected computer, and sixteen counts of extortion — a total carrying a maximum penalty of 185 years in prison. The DOJ simultaneously announced a $10 million reward through the State Department's Transnational Organized Crime Rewards Program for information leading to Khoroshev's arrest or conviction. The UK's National Crime Agency and Australia's Department of Foreign Affairs and Trade coordinated sanctions against Khoroshev on the same day.
The indictment also contained a revealing detail: after the February 2024 disruption, Khoroshev had allegedly contacted law enforcement and offered to provide information about his RaaS competitors — "enemies," in his framing — in exchange for leniency. Whether this outreach was genuine or strategic, it was included in the public indictment, further undermining his standing in the criminal community. As of the writing of this briefing, Khoroshev remains at large in Russia.
December 2024 and March 2025: The Developer's Arrest and Extradition
In August 2024, Israeli authorities arrested Rostislav Panev, 51, a dual Russian and Israeli national, pursuant to a US provisional arrest request. Panev had been a developer for LockBit from its inception in approximately 2019 through at least February 2024. A search of his computer by Israeli agents, with his consent, recovered a credentials document containing access to LockBit's control panel and a dark web repository storing source code for multiple LockBit builder versions — the tools affiliates used to generate custom ransomware payloads for each victim. The repository also contained StealBit source code and leaked Conti ransomware source code.
In interviews with Israeli authorities following his arrest, Panev admitted to having performed coding, development, and consulting work for LockBit and to having received regular cryptocurrency payments. Among the specific work he admitted to was developing code to disable antivirus software, to deploy malware to multiple computers on a victim network simultaneously, and to print the LockBit ransom note to all printers connected to a victim network. Cryptocurrency records showed that between June 2022 and February 2024, Khoroshev transferred approximately $10,000 per month — laundered through cryptocurrency mixing services — to a wallet owned by Panev, totaling over $230,000.
A superseding complaint unsealing a 41-count indictment against Panev was filed in December 2024. He was extradited from Israel to the United States in March 2025, making an initial appearance before a US magistrate judge in the District of New Jersey. The DOJ's total charged LockBit membership at that point stood at seven individuals, with three in custody or extradited.
In May 2025, unknown attackers breached the remnants of LockBit's infrastructure and defaced its internal dashboards with the message: "Don't do crime, CRIME IS BAD xoxo from Prague." The attackers released a database containing Bitcoin addresses, ransom negotiation transcripts, stolen affiliate credentials, and details on 75 or more affiliates and administrators, along with custom ransomware builds and encryption keys. The leak confirmed what Operation Cronos had alleged — that LockBit retained victim data after ransom payments — and provided investigators and journalists direct visibility into the operational mechanics of a ransomware enterprise from negotiation to wallet activity. A separate arrest of LockBit affiliate Mikhail Matveev by Russian authorities was reported around the same time.
The Full Charged Roster
Seven LockBit members have been charged in the District of New Jersey across the multi-year enforcement effort that Operation Cronos anchored:
- Mikhail Vasiliev (alias Ghostrider) — LockBit affiliate; pleaded guilty in July 2024, awaiting sentencing
- Ruslan Astamirov (alias BETTERPAY, Eastfarmer) — LockBit affiliate; pleaded guilty in July 2024, awaiting sentencing
- Artur Sungatov — Russian national; indictment unsealed February 2024; at large
- Ivan Kondratyev (alias Bassterlord) — Russian national; indictment unsealed February 2024; at large
- Mikhail Pavlovich Matveev (alias Wazawaka) — Russian national; indicted separately; subject of $10M reward; arrested by Russian authorities in 2025
- Dmitry Yuryevich Khoroshev (alias LockBitSupp) — alleged administrator; 26-count indictment unsealed May 2024; subject of $10M reward; at large
- Rostislav Panev — dual Russian-Israeli national; alleged developer; 41-count indictment; extradited to the US March 2025
What Operation Cronos Means for Ransomware Enforcement
Operation Cronos established several precedents that distinguish it from every prior ransomware law enforcement action and are likely to shape how agencies approach future operations.
Infrastructure as information platform. Prior ransomware disruptions — Emotet, Qakbot, Hive — involved seizure and takedown. Operation Cronos converted the seized infrastructure into an active intelligence and psychological operations asset. Using LockBit's own leak site to publish indictments, arrest announcements, and identity disclosures was simultaneously a media strategy, a victim assistance platform (hosting decryptor information), and a reputation attack against a criminal enterprise that depended on its brand. This dual-use of seized infrastructure is likely to become standard practice in major cybercriminal disruptions going forward.
Patience over speed. Law enforcement had access to LockBit's network for an extended period before the public announcement. The choice to wait — to gather intelligence, identify affiliates, build criminal cases, and coordinate simultaneous international actions — rather than move immediately produced a qualitatively different outcome than a rapid takedown. Trend Micro noted explicitly that had law enforcement moved faster with a traditional takedown approach, the likely result would have been a rapid recovery. The months-long covert investigation gathered the affiliate intelligence, Bitcoin wallet data, source code, and identity information that made the disruption's effects lasting rather than cosmetic.
Credibility as a target. RaaS operations are fundamentally trust businesses. Affiliates trust operators to pay them correctly and not expose them; victims trust — to whatever limited extent — that paying will produce results. Operation Cronos identified both trust relationships as attack surfaces: revealing that Khoroshev had retained victim data after payment destroyed the victim trust relationship, and suggesting administrator cooperation with law enforcement threatened the affiliate trust relationship. Targeting credibility alongside infrastructure was a strategic innovation that extended the disruption's impact beyond the technical.
The limits of disruption. Despite all of the above, LockBit attempted a comeback, reconstituted a leak site, and LockBit 5.0 has been reported in subsequent months, with enhanced evasion techniques and new affiliate recruitment. Khoroshev remains at large. Several major affiliates are unapprehended. This does not diminish what Operation Cronos achieved — the 73% reduction in UK attack volume, the $68 million in ransom demands averted through decryption keys provided to 500 victims, and the arrest and extradition of a core developer are real, documented outcomes. But it illustrates the structural reality of disrupting decentralized criminal enterprises: arrests and seizures reduce capacity but do not permanently eliminate the talent, knowledge, or motivation of operators who remain free and the affiliates who migrate to successor operations.
Key Takeaways
- LockBit was the dominant RaaS operation of the 2022–2024 period by almost every metric. 2,500+ victims in 120 countries, $500M+ in confirmed ransom extraction, 194 documented affiliates, 7,000+ attacks in the final 20 months of operation. Its scale and professionalization made it simultaneously the most dangerous active ransomware group and the most valuable disruption target for international law enforcement.
- Operation Cronos exploited a PHP vulnerability (CVE-2023-3824) to gain access to LockBit's own infrastructure. A ransomware group running a bug bounty program was compromised through an unpatched web application flaw on its own servers — underscoring that operational security failures are not limited to victim organizations.
- The psychological operations component was as strategically significant as the technical seizure. Repurposing the seized leak site with countdown timers leading to indictments, exposing data retention practices that contradicted victim promises, and suggesting administrator cooperation with law enforcement all targeted the trust relationships that made the RaaS model function. Damaging credibility alongside capability was a deliberate strategic choice.
- The post-disruption prosecution effort produced concrete outcomes. Rostislav Panev, the developer who admitted to writing antivirus-disabling code, malware deployment automation, and ransom note printer propagation, was extradited to the US in March 2025 and faces a 41-count indictment. Two affiliates pleaded guilty. The DOJ has charged seven members in total. Khoroshev's identity was publicly exposed with a $10M reward for his arrest.
- The disruption reduced LockBit's operational capacity significantly but did not end its existence. Attempted reconstitution, LockBit 5.0 development, and continued affiliate activity demonstrate the structural resilience of decentralized RaaS operations to law enforcement disruption. Operation Cronos set a new standard for what disruption can achieve; it also illustrated the limits of what it cannot permanently accomplish against an operation whose leadership remains outside extradition reach.
Operation Cronos will be studied as a template for major cybercriminal disruptions for years. Its combination of extended covert access, simultaneous international action, psychological operations on seized infrastructure, victim assistance deployment, and sustained post-disruption prosecution built a model that previous operations had only partially approached. Whether that model can fully neutralize the most capable ransomware groups — when leadership remains in jurisdictions that do not extradite — remains the fundamental unresolved question in ransomware law enforcement strategy.