• Insight
  • 3 min read

The Identity of LockBit’s Leader Exposed

Law enforcement in the USA and the United Kingdom has issued arrest warrants for Dmitry Yurevich Khoroshev, a 31-year-old Russian national who is allegedly the leader of the LockBit syndicate. Khoroshev is currently residing in Voronezh, Russia, and the chances that Russia will extradite him to the USA are virtually nil in the current geopolitical climate. However, the arrest warrant will still likely complicate Khoroshev’s life a lot.

Like many successful cybercriminals, Khoroshev has gone to great lengths to protect his real identity because his freedom of movement will now be seriously limited. In the current climate in Russia, it’s possible that various other actors in Russia may now try to get a piece of his personal fortune. Recently, the leader of LockBit posted a wish to get in contact with so-called “violence-as-a-service” people in Russia.

An international arrest warrant will also leave Khoroshev with few options if the Russian government starts to exert pressure on him to use his skills to assist Russian intelligence gathering or even just help finance it.

The LockBit syndicate has already been involved in several controversies among Russian cybercriminals. It’s likely that their success has sparked envy among other groups. In February, law enforcement also seized LockBit’s server infrastructure. Despite these setbacks, LockBit has tried to return to business until now, and only time will tell if this becomes the final straw for LockBit.

The ransomware ecosystem is resilient, and there are plenty of other Russian ransomware groups ready to take on LockBit’s affiliates, so any dip in ransomware activity is likely to be temporary. At the same time, LockBit held a unique position in the ransomware ecosystem as the prime choice for new operators who worked alone. Hopefully, LockBit’s disruption will help stem the flow of new recruits into the ransomware industry.


[1] https://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned [2] https://analyst1.com/ransomware-diaries-volume-5-unmasking-lockbit-2/ [3] https://soc.truesec.app/5f5c9acc-8492-42cf-98c4-b3b56f704ab6/threat-insights/TS-ThreatInsight-2024-2