A superseding criminal complaint filed in the US District of New Jersey was unsealed on 30 December 2024, charging a dual Russian and Israeli national for being a developer of the LockBit ransomware group. In August 2024, Rostislav Panev, 51, a dual Russian and Israeli national, was arrested in Israel under a US provisional arrest request to extradition to the United States. Panev is currently in custody in Israel pending extradition on the charges in the superseding complaint. [1]
See: https://redskyalliance.org/xindustry/lockbit-ransomware-again
According to the superseding complaint, documents filed in this and related cases, and statements made in court, Panev acted as a developer of the LockBit ransomware group from its inception in or around 2019 through at least February 2024. During that time, Panev and his LockBit conspirators grew LockBit into what at times was, at times, the most active and destructive ransomware group in the world. The LockBit group attacked more than 2,500 victims in at least 120 countries around the world, including 1,800 in the United States. Their victims ranged from individuals and small businesses to multinational corporations, including hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. LockBit’s members extracted at least $500 million in ransom payments from their victims and caused billions of dollars in other losses, including lost revenue and costs from incident response and recovery.
LockBit’s members comprised ‘developers,’ like Panev, who designed the LockBit malware code and maintained the infrastructure on which LockBit operated. LockBit’s other members, called ‘affiliates,’ carried out LockBit attacks and extorted ransom payments from LockBit victims. LockBit’s developers and affiliates would then split ransom payments extorted from victims.
As alleged in the superseding complaint, at the time of Panev’s arrest in Israel in August, law enforcement discovered on Panev’s computer administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit’s affiliates to generate custom builds of the LockBit ransomware malware for victims. Law enforcement also discovered source code for LockBit’s StealBit tool on that repository, which helped LockBit affiliates exfiltrate data stolen through LockBit attacks. Law enforcement also discovered access credentials for the LockBit control panel, an online dashboard maintained by LockBit developers for LockBit’s affiliates and hosted by those developers on the dark web.
The superseding complaint also alleges that Panev exchanged direct messages through a cybercriminal forum with LockBit’s primary administrator, who, in an indictment unsealed in the US District of New Jersey in May, the United States alleged to be Dimitry Yuryevich Khoroshev (Дмитрий Юрьевич Хорошев), also known as LockBitSupp, LockBit, and putinkrab. In those messages, Panev and the LockBit primary administrator discussed work that needed to be done on the LockBit builder and control panel.
Court documents further indicate that, between June 2022 and February 2024, the primary LockBit administrator made a series of cryptocurrency transfers, laundered through one or more illicit cryptocurrency mixing services, of approximately $10,000 per month to a cryptocurrency wallet owned by Panev. Those transfers amounted to over $230,000 during that period.
In interviews with Israeli authorities following his arrest in August 2024, Panev admitted to having performed coding, development, and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work, consistent with the transfers identified by US authorities. Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software, deploy malware to multiple computers connected to a victim network, and print the LockBit ransom note to all printers connected to a victim network. Panev also admitted to having written and maintained LockBit malware code and providing technical guidance to the LockBit group.
The superseding complaint against, and apprehension of, Panev follows a disruption of LockBit ransomware in February 2024 by the United Kingdom (UK)’s National Crime Agency (NCA)’s Cyber Division, which worked in cooperation with the Justice Department, FBI, and other international law enforcement partners. As previously announced by the Department, authorities disrupted LockBit by seizing numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and by seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data. That disruption greatly diminished LockBit’s reputation and ability to attack further victims, as alleged by documents filed in this case.
The superseding complaint against Panev also follows charges brought in the District of New Jersey against other LockBit members, including its alleged primary creator, developer, and administrator, Dmitry Yuryevich Khoroshev. An indictment against Khoroshev unsealed in May 2024 alleges that Khoroshev began developing LockBit as early as September 2019, continued acting as the group’s administrator through 2024, a role in which Khoroshev recruited new affiliate members, spoke for the group publicly under the alias ‘LockBitSupp,’ and developed and maintained the infrastructure used by affiliates to deploy LockBit attacks. Khoroshev is currently the subject of a reward of up to $10 million through the US Department of State’s Transnational Organized Crime (TOC) Rewards Program, with information accepted through the FBI tip website at www.tips.fbi.gov/.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
© 2025 Red Sky Alliance Corporation. All rights reserved.
Comments