LockBit ransomware developer arrested

US law enforcement arrested one of LockBit ransomware gang’s lead developers in Israel last August, according to a recently unsealed criminal complaint by US law enforcement.

The documents reveal that Rostislav Panev, a 51-year-old man with dual Russian-Israeli citizenship, is facing extradition to the US to face charges alongside two others accused of working for the cybercriminal group

Panev allegedly served as a malware developer for the ransomware group from its inception in 2019 until February 2024, receiving approximately $230,000 in cryptocurrency transfers from the group between June 2022 and February 2024.

During his time at the group, Panev and his co-conspirators helped grow LockBit into what the US Justice Department refers to as “the most active and destructive ransomware group in the world.”

LockBit is responsible for more than 2,500 attacks across at least 120 countries, including 1,800 in the US.  Victims have included businesses of all sizes, hospitals, schools, nonprofit organisations, critical infrastructure, government agencies, and law enforcement entities.

In total, the group received at least $500 million in ransom payments and caused billions of dollars in losses.

According to the Justice Department, at the time of his arrest, Panev had admin credentials for LockBit’s Dark Web online repository with the gang’s ransomware source code, alongside source code for an affiliate tool called “StealBit” used to exfiltrate stolen data.

Panev’s laptop also had access credentials for the LockBit control panel used by affiliates.

In interviews with Israeli authorities following his arrest in August, Panev admitted to performing coding development and consulting work for the LockBit group and receiving regular payments in cryptocurrency for his work.

“The Justice Department’s work going after the world’s most dangerous ransomware schemes includes not only dismantling networks, but also finding and bringing to justice the individuals responsible for building and running them,” said the Justice Department’s attorney general Merrick B. Garland.

“Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks,” he added.

In February this year, the UK, US, and EU law enforcement announced the takedown of the group with a notice on the gang’s extortion site that read: “The site is now under the control of law enforcement.”

In what was called ‘Operation Cronos’, the agencies displayed multiple screenshots of LockBit’s backend and announced its affiliates in Poland and Ukraine.

Then, in May, the National Crime Agency led a campaign to identify the ‘leader of LockBit’, unmasked as Dmitry Khoroshev.

More recently, unknown individuals claiming to represent the ransomware gang have broken cover to announce the impending release of a new malware, LockBit 4.0.

Reported screengrabs from the Dark Web show the supposed cyber-criminal inviting interested parties to “sign up and start your pentester billionaire journey in 5 minutes with us.”

It showed a countdown timer with a launch date of 3 February 2025.

Read more about who LockBit were during their time as a cyber gang here.