4 New Arrests Related to LockBit, Identities of Suspected Evil Corp Members and Affiliates Revealed

The third phase of Operation Cronos, involving officers from the UK's National Crime Agency (NCA), FBI, Europol and other law enforcement agencies, resulted in the arrest of four people for alleged involvement in the LockBit ransomware-as-a-affair . Service operations in various roles.

“A suspected developer of LockBit was arrested at the request of French authorities, while British authorities arrested two people for supporting the activities of a LockBit subsidiary,” Europol announced on Tuesday.

“Spanish officials seized nine servers that are part of the ransomware’s infrastructure and arrested an administrator of a Bulletproof hosting service used by the ransomware group.”

At the same time, Australia, the United Kingdom and the United States announced sanctions against Aleksandr Ryzhenkov, a Russian national believed to be a prolific partner of LockBit and closely associated with Evil Corp, as well as other individuals and entities associated with Evil Corp .

US Treasury and NCA press releases, as well as an NCA white paper, provide further insight into how the Evil Corp group has operated over the years, the identities of some alleged core members, and the group's close ties to the Russian state.

Also unsealed Tuesday was a U.S. Department of Justice indictment accusing Ryzhenkov of “using the BitPaymer ransomware variant to attack numerous victims in Texas and throughout the United States and extort their sensitive information for ransom.” .

Previous Law Enforcement Actions Targeted at LockBit

In February 2024, in the first public phase of Operation Cronos, authorities took over the LockBit gang's leak site and revealed that they had managed to take control of LockBit's platform and affiliate panel, thereby making them Gained insight into victims and affiliates.

Two Russian nationals have been charged with conspiring to commit LockBit attacks, and two suspected LockBit partners have been arrested in Poland and Ukraine. Authorities also began sharing decryption keys with LockBit victims around the world.

In March 2024, a Canadian-Russian dual citizen arrested in late 2022 was convicted of committing cybercrimes as part of the LockBit group.

In May 2024, the second phase of the operation resulted in LockBitSupp, the alleged creator and administrator of the LockBit ransomware-as-a-service company, being exposed as Russian citizen Dmitry Khoroshev.

On Tuesday, the Cronos Taskforce announced four arrests.

“Europol facilitated the exchange of information, supported the coordination of operational activities and provided operational analytical support, as well as crypto tracking and forensic support,” the EU law enforcement agency said.

“Europol’s cybercrime center’s advanced defusion capabilities enabled the identification of multiple targets. After the first operations against the LockBit infrastructure in early 2024, Europol organized seven technical sprints, three of which were exclusively dedicated to cryptocurrency tracking.”