Seventh LockBit Ransomware Mastermind Extradited to Face Charges

An alleged mastermind behind the multi-million-dollar LockBit ransomware operation has been extradited to face charges in the United States.

51-year-old Rostislav Panev, a dual Russian and Israeli national, was extradited this month on charges that he was a developer of the LockBit ransomware group.

Panev was allegedly a key figure in the LockBit ransomware operation from its inception around 2019 through 2024. During this time, he is accused of coding the data-crippling malware used by the hacking group to extort hundreds of millions of dollars from victims worldwide.

‘Destructive ransomware’

“Panev and his LockBit coconspirators grew LockBit into what was, at times, the most active and destructive ransomware group in the world,” according to the US Justice Department.

The hacking crew is said to be responsible for attacks on more than 2,500 victims in at least 120 countries around the world, including 1,800 in the United States.

Victims ranged from regular folk to small businesses to multinational corporations, including hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.

It’s estimated that LockBit extracted at least half a billion dollars in ransoms, inflicting billions more in collateral losses, including lost revenue and costs from incident response and recovery.

“Panev […] designed the LockBit malware code and maintained the infrastructure on which LockBit operated,” the DOJ notes, citing documents filed in this and related cases. “LockBit’s other members, called ‘affiliates,’ carried out LockBit attacks and extorted ransom payments from LockBit victims. LockBit’s developers and affiliates would then split the ransom payments which were extorted from victims.”

Custom builds of malware

Court documents say that when Panev was arrested in Israel in August, police discovered on his computer administrator credentials for a repository hosted on the dark web containing source code for multiple versions of the LockBit builder, which allowed LockBit’s affiliates to generate custom builds of the malware for particular victims.

“On that repository, law enforcement also discovered source code for LockBit’s StealBit tool, which helped LockBit affiliates exfiltrate data stolen through LockBit attacks,” according to the press release. “Law enforcement also discovered access credentials for the LockBit control panel, an online dashboard maintained by LockBit developers for LockBit’s affiliates and hosted by those developers on the dark web.”

Panev exchanged direct messages through a cybercriminal forum with LockBit’s primary administrator, identified as Dimitry Yuryevich Khoroshev (Дмитрий Юрьевич Хорошев), also known as ‘LockBitSupp’ and ‘putinkrab.’

“In those messages, Panev and the LockBit primary administrator discussed work that needed to be done on the LockBit builder and control panel.”

$230,000 for two years’ work

Between 2022 and 2024, the LockBit chief allegedly awarded Panev $10,000 per month in laundered crypto for his coding services.

“Those transfers amounted to over $230,000 during that period,” says the DOJ.

While the US Justice Department doesn’t explicitly mention a guilty plea, the press release says that “Panev admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work, consistent with the transfers identified by U.S. authorities.”

Panev allegedly also devised means to escape detection, ripple the malware to multiple computers on the network, and print the LockBit ransom note to all printers connected to a victim network - as a power move. He also admitted to having written and maintained LockBit malware code and to having provided technical guidance to the LockBit group.

Hefty bounties for information on LockBit operators

It’s not clear what exact charges Panev faces, with the DOJ only saying that the allegations contained in the superseding complaint and indictments are mere accusations, and the defendant is presumed innocent until proven guilty.

Seven LockBit architects have now been charged.

The US Department of State’s Transnational Organized Crime (TOC) Rewards Program is offering rewards of up to $10 million for information leading to the arrest and/or conviction of the LockBit operation's devisers.

Last year, the FBI announced a major disruptive action against LockBit, offering decryption keys to victims worldwide.

Boeing Allegedly Negotiating with LockBit Hackers who Stole Sensitive Data from its Servers