4 new LockBit-related arrests, identities of suspected Evil Corp members, affiliates revealed
The third phase of Operation Cronos, which involved officers from the UK National Crime Agency (NCA), the FBI, Europol and other law enforcement agencies, has resulted in the arrest of four persons for allegedly participating in the LockBit ransomware-as-a-service operation in various roles.
“A suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities arrested two individuals for supporting the activity of a LockBit affiliate,” Europol announced on Tuesday.
“The Spanish officers seized nine servers, part of the ransomware’s infrastructure, and arrested an administrator of a Bulletproof hosting service used by the ransomware group.”
Simultaneously, Australia, the UK and the US announced sanctions against Aleksandr Ryzhenkov, a Russian national believed to be a prolific affiliate of LockBit and strongly linked to Evil Corp, and other individuals and entities associated with Evil Corp.
The US Department of Treasury’s and NCA’s press releases and a NCA whitepaper provide more insight into the Evil Corp group’s functioning throughout the years, the identities of some suspected core members, and the group’s close links with the Russian state.
An indictment by the US Justice Department has also been unsealed on Tuesday, charging Ryzhenkov “with using the BitPaymer ransomware variant to attack numerous victims in Texas and throughout the United States and hold their sensitive data for ransom.”
Previous LockBit-focused law enforcement actions
In February 2024, in the first public stage of Operation Cronos, the authorities took over LockBit gang’s leak site and revealed that they’ve managed to take control of LockBit’s platform and affiliate panel, which gave them insight into victims and affiliates.
Two Russian nationals were indicted for conspiring to commit LockBit attacks, and two suspected LockBit affiliates were arrested in Poland and Ukraine. The agencies also started sharing decryption keys with LockBit victims around the world.
In March 2024, a dual Canadian-Russian national arrested in late 2022 was sentenced for committing cyber crimes as part of the LockBit group.
In May 2024, the second stage of the operation resulted in the unmasking of LockBitSupp, the suspected creator and administator of the LockBit ransomware-as-a-service outfit, as Russian national Dmitry Khoroshev.
On Tuesday, the Cronos Taskforce announced four arrests.
“Europol facilitated the information exchange, supported the coordination of the operational activities and provided operational analytical support, as well as crypto tracing and forensic support,” the EU law enforcement agency explained.
“The advanced demixing capabilities of Europol’s Cybercrime Centre enabled the identification of several targets. Following the initiation operations against LockBit’s infrastructure in the beginning of 2024, Europol organised seven technical sprints, three of which were fully dedicated to cryptocurrency tracing.”