U.S. Charges Developer Of LockBit For Billions In Global Ransomware Damages

US authorities have announced that a dual Russian and Israeli national, has been charged for his alleged involvement with the LockBit ransomware group, with extradition proceedings underway.

Rostislav Panev, 51, is accused of serving as a developer and coder for LockBit since January 2022, earning approximately $230,000 in cryptocurrency for his contributions, according to unsealed Department of Justice charges.

LockBit is linked to numerous ransomware attacks, where hackers disable victims' systems or encrypt their data, demanding a ransom for restoration. High-profile targets of the group have included Boeing Co., the Industrial & Commercial Bank of China, and the UK’s Royal Mail.

In August, Rostislav Panev was arrested in Israel pursuant to a U.S. provisional arrest request with a view towards extradition to the United States. Panev is currently in custody in Israel pending extradition on the charges lodged in the superseding complaint.

“As alleged by the complaint, Rostislav Panev for years built and maintained the digital weapons that enabled his LockBit coconspirators to wreak havoc and cause billions of dollars in damage around the world. But just like the six other LockBit members previously identified and charged by this office and our FBI and Criminal Division partners, Panev could not remain anonymous and avoid justice indefinitely. He must now answer for his crimes. Today’s announcement represents another blow struck by the United States and our international partners against the LockBit organization, and our efforts will continue relentlessly until the group is fully dismantled and its members brought to justice.”

U.S. Attorney Philip R. Sellinger

“The Justice Department’s work going after the world’s most dangerous ransomware schemes includes not only dismantling networks, but also finding and bringing to justice the individuals responsible for building and running them,” said Attorney General Merrick B. Garland. “Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks.”

“The arrest of Mr. Panev reflects the Department's commitment to using all its tools to combat the ransomware threat,” said Deputy Attorney General Lisa Monaco. “We started this year with a coordinated international disruption of LockBit — the most damaging ransomware group in the world. Fast forward to today and three LockBit actors are in custody thanks to the diligence of our investigators and our strong partnerships around the world. This case is a model for ransomware investigations in the years to come.”

“The arrest of alleged developer Rostislav Panev is part of the FBI’s ongoing efforts to disrupt and dismantle the LockBit ransomware group, one of the most prolific ransomware variants across the globe,” said FBI Director Christopher Wray. “The LockBit group has targeted both public and private sector victims around the world, including schools, hospitals, and critical infrastructure, as well as small businesses and multi-national corporations. No matter how hidden or advanced the threat, the FBI remains committed to working with our interagency partners to safeguard the cyber ecosystem and hold accountable those who are responsible for these criminal activities.”

“The criminal complaint alleges that Rotislav Panev developed malware and maintained the infrastructure for LockBit, which was once the world’s most destructive ransomware group and attacked thousands of victims, causing billions of dollars in damage,” said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division. “Along with our domestic and international law enforcement partner actions to dismantle LockBit’s infrastructure, the Criminal Division has disrupted LockBit’s operations by charging seven of its key members (including affiliates, developers, and its administrator) and arresting three of these defendants — including Panev. We are especially grateful for our partnerships with authorities in Europol, the United Kingdom, France, and Israel, which show that, when likeminded countries work together, cybercriminals will find it harder to escape justice.”

“For five years, Panev helped to grow LockBit into a ransomware machine of deception and extortion,” said Acting Special Agent in Charge Nelson I. Delgado of the FBI Newark Field Office.  “His reach was far and wide but FBI Newark and our international law enforcement partners were able to disrupt his reign. Panev’s arrest marks a victory against these conspirators, and is a step towards upholding justice and neutralizing these criminals.”

According to the superseding complaint, documents filed in this and related cases, and statements made in court, Panev acted as a developer of the LockBit ransomware group from its inception in or around 2019 through at least February 2024. During that time, Panev and his LockBit coconspirators grew LockBit into what was, at times, the most active and destructive ransomware group in the world. The LockBit group attacked more than 2,500 victims in at least 120 countries around the world, including 1,800 in the United States. Their victims ranged from individuals and small businesses to multinational corporations, including hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. LockBit’s members extracted at least $500 million in ransom payments from their victims and caused billions of dollars in other losses, including lost revenue and costs from incident response and recovery.

LockBit’s members comprised “developers,” like Panev, who designed the LockBit malware code and maintained the infrastructure on which LockBit operated. LockBit’s other members, called “affiliates,” carried out LockBit attacks and extorted ransom payments from LockBit victims. LockBit’s developers and affiliates would then split ransom payments extorted from victims.

As alleged in the superseding complaint, at the time of Panev’s arrest in Israel in August, law enforcement discovered on Panev’s computer administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit’s affiliates to generate custom builds of the LockBit ransomware malware for particular victims. On that repository, law enforcement also discovered source code for LockBit’s StealBit tool, which helped LockBit affiliates exfiltrate data stolen through LockBit attacks. Law enforcement also discovered access credentials for the LockBit control panel, an online dashboard maintained by LockBit developers for LockBit’s affiliates and hosted by those developers on the dark web.

The superseding complaint also alleges that Panev exchanged direct messages through a cybercriminal forum with LockBit’s primary administrator, who, in an indictment unsealed in the District of New Jersey in May, the United States alleged to be Dimitry Yuryevich Khoroshev (Дмитрий Юрьевич Хорошев), also known as LockBitSupp, LockBit, and putinkrab. In those messages, Panev and the LockBit primary administrator discussed work that needed to be done on the LockBit builder and control panel.

Court documents further indicate that, between June 2022 and February 2024, the primary LockBit administrator made a series of transfers of cryptocurrency, laundered through one or more illicit cryptocurrency mixing services, of approximately $10,000 per month to a cryptocurrency wallet owned by Panev. Those transfers amounted to over $230,000 during that period.

In interviews with Israeli authorities following his arrest in August, Panev admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work, consistent with the transfers identified by U.S. authorities. Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software; to deploy malware to multiple computers connected to a victim network; and to print the LockBit ransom note to all printers connected to a victim network. Panev also admitted to having written and maintained LockBit malware code and to having provided technical guidance to the LockBit group.

The LockBit Investigation

The superseding complaint against, and apprehension of, Panev follows a disruption of LockBit ransomware in February by the U.K. National Crime Agency (NCA)’s Cyber Division, which worked in cooperation with the Justice Department, FBI, and other international law enforcement partners. As previously announced by the Department, authorities disrupted LockBit by seizing numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and by seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data. That disruption succeeded in greatly diminishing LockBit’s reputation and its ability to attack further victims, as alleged by documents filed in this case.

The superseding complaint against Panev also follows charges brought in the District of New Jersey against other LockBit members, including its alleged primary creator, developer, and administrator, Dmitry Yuryevich Khoroshev. An indictment against Khoroshev unsealed in May alleges that Khoroshev began developing LockBit as early as September 2019, continued acting as the group’s administrator through 2024, a role in which Khoroshev recruited new affiliate members, spoke for the group publicly under the alias “LockBitSupp,” and developed and maintained the infrastructure used by affiliates to deploy LockBit attacks. Khoroshev is currently the subject of a reward of up to $10 million through the U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program, with information accepted through the FBI tip website at www.tips.fbi.gov/.

A total of seven LockBit members have now been charged in the District of New Jersey. Beyond Panev and Khoroshev, other previously charged LockBit defendants include:

• In July, two LockBit affiliate members, Mikhail Vasiliev, also known as Ghostrider, Free, Digitalocean90, Digitalocean99, Digitalwaters99, and Newwave110, and Ruslan Astamirov, also known as BETTERPAY, offtitan, and Eastfarmer, pleaded guilty in the District of New Jersey for their participation in the LockBit ransomware group and admitted deploying multiple LockBit attacks against U.S. and foreign victims. Vasiliev and Astamirov are presently in custody awaiting sentencing.
• In February, in parallel with the disruption operation described above, an indictment was unsealed in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries. Sungatov and Kondratyev remain at large.
• In May 2023, two indictments were unsealed in Washington, D.C., and the District of New Jersey charging Mikhail Matveev, also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, with using different ransomware variants, including LockBit, to attack numerous victims throughout the United States, including the Washington, D.C., Metropolitan Police Department. Matveev remains at large and is currently the subject of a reward of up to $10 million through the U.S. Department of State’s TOC Rewards Program, with information accepted through the FBI tip website at www.tips.fbi.gov/.

The U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program is offering rewards of:

• Up to $10 million for information leading to the arrest and/or conviction in any country of Khoroshev;
• Up to $10 million for information leading to the arrest and/or conviction of Matveev;
• Up to $10 million for information leading to the identification and location of any individuals who hold a key leadership position in LockBit; and
• Up to $5 million for information leading to the arrest and/or conviction in any country of any individual participating or attempting to participate in LockBit.

Information is accepted through the FBI tip website at tips.fbi.gov.

Khoroshev, Matveev, Sungatov, and Kondratyev have also been designated for sanctions by the Department of the Treasury’s Office of Foreign Assets Control for their roles in launching cyberattacks.

Victim Assistance

LockBit victims are encouraged to contact the FBI and submit information at www.ic3.gov. As announced by the Department in February, law enforcement, through its disruption efforts, has developed decryption capabilities that may enable hundreds of victims around the world to restore systems encrypted using the LockBit ransomware variant. Submitting information at the IC3 site will enable law enforcement to determine whether affected systems can be successfully decrypted.

LockBit victims are also encouraged to visit www.justice.gov/usao-nj/lockbit for case updates and information regarding their rights under U.S. law, including the right to submit victim impact statements and request restitution, in the criminal litigation against Panev, Astamirov, and Vasiliev.