LockBit gang members arrested in Poland and Ukraine

Two suspected cyber criminals associated with the LockBit ransomware operation have been arrested in Poland and Ukraine as part of the audacious coordinated takedown of the crew’s infrastructure in Operation Cronos, news of which broke late on Monday 19 February.

The arrests were made at the request of the French judicial authorities and formed part of a 10-country multinational operation, led by the UK’s National Crime Agency (NCA) and involving the FBI and others. Other international arrest warrants and indictments have also been made by the French and US authorities.

The months-long operation led to the compromise of LockBit’s primary platform and the critical infrastructure that enabled its four-year crime spree.

The gang’s technical infrastructure is now under the control of the NCA, as is its dark web leak site on which they hosted the data they stole. The NCA said it is also in possession of LockBit’s source code, some victim data and, crucially, decryption keys, which it plans to use to help the gang’s victims. 

Other assets seized include multiple servers used by affiliates located across Europe and the US, including in the UK, and the gang’s bespoke exfiltration tool, StealBit, which was used to steal data.

The authorities have also frozen 200 cryptocurrency accounts linked to the gang and seized “vast” amounts of data to support future activities, including, it is hoped, targeting the leaders, developers and affiliates of LockBit.

“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the agency and our partners,” said NCA director general Graeme Biggar.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.

“We have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out”

“As of today, LockBit are locked out. We have damaged the capability and, most notably, the credibility of a group that depended on secrecy and anonymity.

“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them,” said Biggar.

US attorney general Merrick Garland added: “For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, US and UK law enforcement are taking away the keys to their criminal operation.

“And we are going a step further – we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data. LockBit is not the first ransomware variant the justice department and its international partners have dismantled. It will not be the last.”