Cryptocurrency Fraud
,
Fraud Management & Cybercrime
,
Ransomware
Authorities Uncover 30,000 LockBit Bitcoin Addresses
Cryptocurrency trading platform Binance restricted access to 85 accounts as part of an action against the LockBit ransomware affiliates, and authorities estimated that members of the now-defunct ransomware-as-a-service operation had pocketed “hundreds of millions” in ransom.
See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors
Police from the United Kingdom, the United States, and Europe seized over 35 LockBit servers and replaced the group’s dark web data leak page with a seizure notice on Monday. As part of the action dubbed Operation Cronos, police confiscated LockBit source code, affiliate back-end servers and a trove of data (see: Breach Roundup: More Fallout From the LockBit Takedown).
In an update on Friday, authorities said they had identified 30,000 bitcoin wallets linked to the ransomware group as part of an operation conducted with crypto research firm Chainalysis.
The actions resulted in Binance seizing 85 accounts tied to the group, although authorities estimate more than 500 affiliate accounts continue to remain active.
Further analyses of LockBit crypto wallets from July 2022 to this month reveal that the group pocketed hundreds of millions in ransom, nearly 20% of which was paid by LockBit affiliates. Of these, nearly $114 million remain unspent, authorities said on Friday.
“LockBit’s activity on the blockchain illustrates its sheer longevity relative to other ransomware-as-a-service strains,” Jackie Burns Koven, head of cyber threat intelligence at Chainalysis, said. “Based on LockBit’s cryptocurrency activity, we can also corroborate the large numbers of affiliates deploying LockBit,” she told Information Security Media Group.
The seizure of bitcoin wallets is the latest in a series of actions taken by law enforcement agencies against the ransomware group. On Thursday, email providers shuttered 14,000 email accounts associated with LockBit affiliates.
Since many affiliates continue to use advanced evasion tactics, crypto experts say identifying and arresting these actors will likely remain a challenge for law enforcement agencies.
Evasion tactics include using mixer services to obscure their profit origin and converting fiat currency to direct “crypto for cash” via unregulated exchanges and cryptocurrency ATMs – practices that often make tracking and blocking their activity difficult and time-sensitive, said Joseph Buckley, director at specialist consultancy firm Control Risks.
In one case Chainalysis observed, LockBit was working with an Iranian ransomware strain and depositing money to an Iranian exchange – likely indicating that it has affiliates working from Iran.
The fact that many LockBit affiliates tend to operate outside the jurisdiction of Western law enforcement agencies could also make arrests difficult – and possibly allow LockBit to regroup, Buckley said.
“Currently, law enforcement have not disclosed any arrests of the core members of LockBit. If this remains the case, in the long term, this takedown is unlikely to have a significant impact on the cybercriminal landscape because LockBit’s core members were not arrested,” he said.
Koven did not rule out a LockBit reemergence. She said Chainalysis will be monitoring how “LockBit affiliates adapt after the takedown” as well as how other ransomware actors change their operations “in light of the actions taken against LockBit.”