LockBit Ransomware Suspect Rostislav Panev Extradited to US

An accused developer for Russian-speaking ransomware group LockBit appeared in a U.S. courtroom Thursday to face dozens of charges filed against him.

See Also: Live Webinar | Thrive in Chaos: How to Get Your Minimum Viable Company Back Online

Rostislav Panev, 51, was arrested by police in Israel last August based on a U.S. provisional arrest request. The dual Russian and Israeli citizen faces a 41 count U.S. criminal complaint for allegedly serving as a key developer for LockBit, beginning around the group’s inception in 2019 and continuing through at least February 2024 (see: Alleged LockBit Coder Faces 41-Count Indictment in US).

The complaint against Panev said LockBit’s administrator paid him in cryptocurrency, “laundered through illicit cryptocurrency mixing services,” totaling approximately $10,000 per month, and adding up to more than $230,000 from June 2022 to February 2024.

Israel upheld U.S. federal prosecutors’ request for Panev’s extradition, which occurred Thursday, after which he appeared before a U.S. district court judge, said the U.S. Department of Justice.

“Rostislav Panev’s extradition to the District of New Jersey makes it clear: if you are a member of the LockBit ransomware conspiracy, the United States will find you and bring you to justice,” said U.S. Attorney John Giordano.

Panev’s U.S. attorney, Frank Arleo, who was appointed last November, couldn’t be immediately reached for comment.

The complaint says that Panev, after being arrested, admitted to Israeli authorities “to having performed coding, development and consulting work for the LockBit group in exchange for significant payments of Bitcoin.”

Investigators Panev and LockBit’s administrator exchanged in early 2022 private messages on a well-known cybercrime forum “regarding the LockBit builder and control panel – consistent with Panev’s admissions to having performed development and coding work for LockBit.” A search of Panev’s iCloud account also revealed his “familiarity with encryption techniques ransomware, and LockBit.”

Israeli agents obtained Pavev’s consent to search a computer seized from his residence and recovered a “credentials document” which they shared with U.S. investigators, according to the criminal complaint. The FBI said this document included access credentials listed as being for LockBit’s control panel, which they tested on Aug. 12, 2024, confirming that they did provide such access.

“There is no legitimate reason, therefore, for an ordinary member of the public or a non-criminal actor to have access credentials to the LockBit control panel,” prosecutors said.

The control panel provided access to an online repository containing builds for different versions of LockBit and tools affiliates could use to generate custom builds of the malware for every different victim, according to court documents. “On that repository, law enforcement also discovered source code for LockBit’s StealBit tool, which helped LockBit affiliates exfiltrate data stolen through LockBit attack,” the complaint reads.

Group Disrupted Hospitals, Schools

LockBit emerged in early 2020, luring affiliates through the claimed sophistication and speed of its crypto-locking malware and becoming one of the most active ransomware groups. The ransomware-as-a-service group ran a data-leak site where it practiced double extortion, naming victims who didn’t pay, and threatening to dump their stolen data.

As with other RaaS operations, LockBit offered affiliates a sizeable cut of every ransom a victim paid. As detailed by cybersecurity researcher Elena Koldobsky, LockBit kept 20% of every ransom paid, or 30% to 50% if the affiliate relied on LockBit to handle negotiations.

Authorities have tied LockBit to attacks against over 2,500 victims in at least 120 countries, including 1,800 U.S. organizations. Victims have ranged from individuals and small businesses to multinational corporations, including hospitals, schools, nonprofits and critical infrastructure. LockBit and its affiliates took in at least $500 million in ransom payments and caused billions of dollars in other losses, including lost revenue and bills generated for incident response and recovery.

A law enforcement operation led by Britain’s National Crime Agency, which worked with the FBI and other international partners, began disrupting LockBit in February 2024 as part of an ongoing effort dubbed Operation Cronos. Agents infiltrated LockBit’s infrastructure, seized servers, its data-leak blog and 2,500 decryption keys for victims, and amassed intelligence on the group and its operations. That included details about affiliates and Bitcoin wallet addresses used by operators, including to launder stolen funds.

Authorities later unsealed an indictment that named LockBit’s main administrator “LockBitSupp” – who boasted about law enforcement being unable to unmask his true identity – as being Russian national Dmitry Yuryevich Khoroshev. He remains at large, with the U.S. posting a reward of up to $10 million for information that leads to his arrest or conviction.

So far seven alleged LockBit members have been charged in the District of New Jersey, of which three – including Panev – are now in custody. The four who remain at large have been sanctioned by the Department of the Treasury’s Office of Foreign Assets Control.