On February 19, 2024, the UK’s National Crime Agency (NCA) announced its role in leading an international law enforcement operation, dubbed Operation Cronos, targeting one of the most notorious ransomware groups, LockBit. The operation resulted in the successful disruption of the ransomware group, with law enforcement seizing their website and accessing “vast amounts of intelligence” about the group’s inner workings. After posting a seizure notice on LockBit’s darknet website, police teased a countdown to the big reveal on the morning of the 20th.
This morning it was discovered that LockBit’s darknet site had been modified; instead of the usual lists of data stolen from LockBit’s victims, police copied the page’s format to reveal information about the ransomware group. This includes how to decrypt encrypted data, allowing victims to recover their data without paying a ransom. Further unreleased information is being teased along with a countdown that ends later this week, which includes information about the group’s crypto operations.
The Director General of the National Crime Agency, Graeme Biggar, said: “This investigation led by the NCA represents a revolutionary disruption of the world’s most dangerous cyber crime group. This shows that no criminal operation, no matter where it is located, no matter how advanced, is beyond the reach of the Agency and our partners. Through our close cooperation, we hacked the hackers.”
In addition, the US Treasury’s Office of Foreign Assets Control (OFAC) today sanctioned two individuals for their role in deploying the LockBit ransomware. Russian citizens Ivan Genadievich Kondratyev and Artur Ravilevich Sungatov are accused of acting as affiliates of the LockBit group. In addition to the sanctions announced by OFAC, the US Department of Justice has unsealed indictments charging Kondratiev and Sungatov with deploying the LockBit ransomware against multiple victims. According to a press release issued today by the Department of Justice “a total of five members of LockBit have now been charged for their involvement in the LockBit conspiracy”, two of whom are in custody and will face trial in the US.
This week’s action against LockBit is extremely significant and should be celebrated. Operation Cronos demonstrates that law enforcement can successfully disrupt ransomware operations regardless of where the perpetrators are located and recover victim data that will reduce the profitability of LockBit’s crimes.
Elliptic is aware of hundreds of addresses connected to LockBit. This data provides important information about the cryptocurrency wallet infrastructure used by one of the world’s most prolific ransomware gangs. This information can be used in two key ways:
- Cryptocurrency exchanges can use transaction verification tools such as Elliptic Navigator to identify all customer deposits originating from LockBit wallets. In this way, they can help prevent the laundering of ransom payments, as well as provide timely intelligence to the police.
- Law enforcement agencies can “follow the money” using blockchain forensics tools like Elliptic Investigator to help potentially seize assets and identify those responsible.
This is a developing story and we will continue to provide updates.
Global Crypto Crime Articles