'Kisses From Prague': The Fall Of A Russian Ransomware Giant
The sudden fall of a ransomware supplier once described as the world's most harmful cybercrime group has raised questions about Moscow's role in its development and the fate of its founder.
LockBit supplied ransomware to a global network of hackers, who used the services in recent years to attacks thousands of targets worldwide and rake in tens of millions of dollars.
Ransomware is a type of malicious software, or malware, that steals data and prevents a user from accessing computer files or networks until a ransom is paid for their return.
LockBit supplied a worldwide network of hackers with the tools and infrastructure to carry out attacks, communicate with victims, store the stolen information and launder cryptocurrencies.
According to the US State Department, between 2020 and early 2024 LockBit ransomware carried out attacks on more than 2,500 victims around the world.
It issued ransom demands worth hundreds of millions of dollars and received at least $150 million in actual ransom payments made in the form of digital currency.
But LockBit was dealt its first devastating blow in February 2024 when the British National Crime Agency (NCA), working with the US FBI and several other nations, announced it had infiltrated the group's network and took control of its services.
Later that year, the NCA announced it had identified LockBit's leader as a Russian named Dmitry Khoroshev (alias LockBitSupp).
The US State Department said it was offering a reward of up to $10 million for information leading to his arrest.
Lockbit, which the NCA said was "once the world's most harmful cybercrime group", sought to adapt by using different sites.
But earlier this year it suffered an even more devastating breach and received a taste of its own medicine.
Its systems were hacked and some of its data stolen in an attack whose origins were mysterious and has, unusually in the cybercrime world, never been claimed.
"Don't do crime. Crime is bad. Xoxo from Prague," said a cryptic message written on the website it had been using.
"Lockbit was number one. It was in survival mode and took another hit" with the leak, said Vincent Hinderer, Cyber Threat Intelligence team manager with Orange Cyberdefense.
"Not all members of the group have been arrested. Other, less experienced cybercriminals may join," he added.
However, observations of online chats, negotiations and virtual currency wallets indicate "attacks with small ransoms, and therefore a relatively low return on investment", he said.
A French cyberdefence official, who asked not to be named, said the fall of LockBit in no way represented the end of cybercrime.
"You can draw a parallel with counterterrorism. You cut off one head and others grow back."
The balance of power also shifts fast.
Other groups are replacing LockBit, which analysts said was responsible in 2023 for 44 percent of ransomware attacks worldwide.
"Some groups achieve a dominant position and then fall into disuse because they quit on their own, are challenged or there's a breakdown in trust that causes them to lose their partners," said Hinderer.
"Conti was the leader, then LockBit, then RansomHub. Today, other groups are regaining leadership. Groups that were in the top five or top 10 are rising, while others are falling."
In a strange twist, the LockBit data leak revealed that one of its affiliates had attacked a Russian town of 50,000 inhabitants.
LockBit immediately offered the town decryption software -- an antidote to the poison.
But it did not work, the French official told AFP.
"It was reported to the FSB (security service), who quietly resolved the problem," the official said.
One thing appears to be clear -- the field is dominated by the Russian-speaking world.
Among the top 10 cybercrime service providers, "there are two Chinese groups", said a senior executive working on cybercrime in the private sector.
"All the others are Russian-speaking, most of them still physically located in Russia or its satellites," said the executive, who also requested anonymity.
It is harder to ascertain what role the Russian state might play -- a question all the more pertinent since Moscow's 2022 invasion of Ukraine.
"We can't say that the groups are sponsored by the Russian state but the impunity they enjoy are enough to make it complicit," argued the French official, pointing to a "porosity" between the groups and the security services.
The whereabouts and status of Khoroshev are also a mystery.
The bounty notice from the US State Department, which said Khoroshev was aged 32, gives his date of birth and passport number but says his height, weight and eye colour are unknown.
His wanted picture shows an intense man with cropped hair and bulging muscular forearms.
"As long as he doesn't leave Russia, he won't be arrested," said the private sector expert. "(But) we're not sure he's alive."
"The Russian state lets the groups do what they want. It's very happy with this form of continuous harassment," he alleged.
In the past, there was some cooperation between Washington and Moscow over cybercrime but all this changed with the Russian invasion of Ukraine.
French expert Damien Bancal cites the case of Sodinokibi, a hacker group also known as REvil, which was dismantled in January 2022.
"The FBI helped the FSB arrest the group. During the arrests, they found gold bars and their mattresses were stuffed with cash," he said.
But since the invasion of Ukraine, "no-one is cooperating with anyone any more".
Asked if the US has questioned Moscow about Khoroshev after the bounty was placed on his head, Kremlin spokesman Dmitry Peskov said: "Unfortunately, I have no information."
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
DW
a day ago
- DW
Spiderweb: Ukraine's undercover operations in Russia – DW – 06/07/2025
While Russia pounds Ukraine from the air, Ukrainian agents are striking targets far behind enemy lines. What's the story behind Ukraine's attacks inside Russia? In recent days, explosions on various railway tracks in the Russian regions of Belgorod and Voronezh derailed trains. According to official information, no one was injured, but the Russian authorities are investigating suspected terrorism. The explosions came amid a spate of acts of sabotage in Russia that made headlines around the world and are suspected to be the result of Ukrainian intelligence activities. Ukraine takes aim at critical targets Russian railroads transport ammunition and fuel for the army and have already been the target of several acts of sabotage by the two Ukrainian secret services, commonly known by the abbreviations SBU and HUR. On November 30, 2023, SBU agents blew up a train loaded with fuel in a tunnel on the Baikal-Amur Mainline. The fire disrupted the most important supply route in the eastern regions of the Russian Federation for a number of days. On June 1, 2025, railroad bridges collapsed in the Russian regions of Bryansk and Kursk at almost the same time, derailing trains and killing seven passengers. The Russian authorities once again started a terrorism investigation and accused the Ukrainian secret services of carrying out the attack. Attacks on the Crimean bridge The bridge between the Russian mainland to the Ukrainian peninsula of Crimea, annexed by Russia in 2014 and opened in 2018, is a central element of Russian propaganda and one of the most important logistical arteries for supplying Russian troops. The SBU has already organized three high-profile attacks on the bridge, repeatedly exposing weaknesses in Russia's defences. On the morning of October 8, 2022, a truck loaded with explosives originating from the Russian region of Krasnodar exploded on the two-part structure. Parts of the car bridge collapsed over a length of more than 100 meters. In addition, eight diesel tanks on the railroad tracks next to it caught fire. "The operation was planned for six months and the explosives were transported by fake companies via Georgia, Armenia and Kazakhstan in order to evade Russian control," explained SBU chief Vasyl Malyuk at the time. Fuel tanks burn on the Kerch bridge in October 2022 Image: AFP/Getty Images For 22 days, traffic on the bridge was at a standstill, which led to a shortage of fuel and ammunition in Crimea and forced the Russian army to divert its supplies via the occupied territories of the Zaporizhzhya region. Ukraine continued its attacks the following year. Moscow was forced to reinforce the defense of the Crimean bridge with anti-aircraft systems. But another attack followed shortly afterwards: two drone boats exploded near bridge piers. Russia had to restrict traffic for a month. The attack marked the beginning of a wave of drone attacks that limited Russia's dominance in the Black Sea. In December 2024, the SBU attacked a ship transporting construction materials for bridge repairs. Two drones hit the ship directly in the Kerch Strait, destroying the cargo and injuring 15 crew members, according to Russian sources. As a result, Russia had to step up its patrols there. Less than six months later, on June 3, 2025, the SBU placed underwater mines on pillars of the Crimean bridge and detonated them from a distance. Kyiv reported that agents had mined the pillars, but Russian media denied reports of serious damage. Traffic across the bridge was temporarily interrupted. Targeting airfields Russia's strategic air forces have played an important role in the missile attacks pounding Ukraine from the very first day of the war. As a result, airfields emerged early on as a top priority target for the SBU and HUR. In a photo distributed by the SBU, its chief Vasyl Malyuk plans Operation 'Spider Web' Image: Ukrainischer Sicherheitsdienst/AP/picture alliance The first significant operation was when FPV drones damaged a radar aircraft stationed at an airfield in Belarus. It had to be repaired at great expense. Kyiv initially denied involvement, but in March 2024 Vasyl Malyuk admitted that two Ukrainian drones had been involved. In August of the same year, the HUR attacked the Soltsi airfield in the Novgorod region deep in the Russian hinterland. At least one bomber was damaged and there were also casualties on the Ukrainian side. According to the HUR, its reconnaissance unit was ambushed while returning to Ukrainian-controlled territory and a lieutenant colonel died. The most spectacular plot to date took place on June 1, 2025. Entire swarms of drones, 117 in total, simultaneously attacked four airfields in different parts of Russia. Ordinary trucks, whose drivers knew nothing about the secret cargo, brought them close to the bases. According to the SBU, 41 aircraft were destroyed during Operation Spider Web, including 34 percent of Russian cruise missile carriers. According to NATO, over 40 aircraft were damaged, 10 to 13 of which were completely destroyed. Russian sources reported fewer losses. Ukrainian drones damage more than Russian aircraft To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video Drones instead of missiles In July 2023, the SBU attacked the city of Moscow. Two drones built from light aircraft hit buildings. No significant damage was caused but panic ensued in the Russian capital. According to Reuters, air defenses were ineffective against small drones, prompting security measures in Moscow to be tightened. Following this strike, drone attacks became commonplace and records were repeatedly set for range. In April 2024, for example, a HUR drone flew 1,200 kilometers to Nizhnekamsk in the Republic of Tatarstan, where it set fire to an oil refinery and brought production to a partial standstill. In June of that year, SBU drones attacked "Voronezh" radar stations in the Orenburg region, which were part of the early warning system for missile attacks following a flight of around 1,800 kilometers. High-ranking targets The SBU and the HUR also targeted and assassinated suspected collaborators, Russian officers or engineers involved in missile attacks on civilian targets. The first attack by Ukrainian drones on Moscow caused little damage — but shocked city dwellers Image: Lev Sergeev/REUTERS It is known that the SBU killed the commander of the Russian forces for defense against radiological, chemical and biological threats, Lieutenant General Igor Kirillov, and one of his associates in Moscow in December 2024. Kirillov was accused of war crimes, including attacks with chemical weapons on Ukrainian defense forces. Earlier this year, Ukrainian agents in Moscow shot and killed Mikhail Shatsky, the deputy head of the Mars Design Bureau, which was responsible for the modernization of missiles and the development of new drones. The operation was confirmed by Ukrainian military intelligence, but without providing any details. This article was translated from German.
DW
4 days ago
- DW
Ukraine: Trump says Putin vows 'response' to airfield attack – DW – 06/04/2025
US President Donald Trump held a phone call with Russian President Vladimir Putin on Wednesday. According to a post on Trump's Truth Social, the two spoke about Ukraine and the recent attack on Russian airfields. Meanwhile, Germany is making a new attempt on the international stage to strengthen and maintain Ukraine's air defense. To this end, the multinational "Immediate Action on Air Defense" initiative is set to be relaunched, said Defense Minister Boris Pistorius in Brussels. And Ukrainian President Volodymyr Zelenskyy said that Russia gave Ukraine "an ultimatum" during the latest round of talks in Istanbul. However, the Ukrainian leader said that he is ready to hold direct talks with Putin and Trump "any day." Here are the main developments in Russia's war in Ukraine from Wednesday, June 4, 2025:
DW
4 days ago
- DW
Fact check: How credible is Russian Fact-check Site GFCN? – DW – 06/04/2025
Russia's new "Global Fact-Checking Network" (GFCN) claims to fight fake news — but experts criticise it as propaganda in fact-checking clothes. Who's behind GFCN and why does it not meet global fact-checking standards? In early April, Russia's Ministry of Foreign Affairs unveiled the Global Fact-Checking Network (GFCN) — a self-proclaimed international alliance of fact-checkers and media outlets. The initiative was first presented at the "Dialogue about Fakes 2.0" forum in Moscow in November 2024. At a press briefing following the April announcement, Russian foreign ministry spokeswoman Maria Zakharova framed the GFCN as a counter to what she called the West's "relentless stream of fake stories and disinformation campaigns, " accusing Western fact-checkers of engaging in "biased pseudo-fact-checking." "This global civic initiative," Zakharova said, "will enable us to counter destructive Western actions using our own constructive agenda." But established fact-checking sites such as Facta and Maldita have raised red flags over the GFCN's Kremlin-aligned backers, opaque operations, and overtly one-sided narratives. DW Fact check takes a closer look. Who's behind the GFCN? The GFCN was co-founded by TASS, Russia's state-run news agency, and the Autonomous Non-Profit Organization (ANPO) "Dialog Regions" — both known for their close ties to the Kremlin. TASS was suspended in 2022 by the European Alliance of News Agencies (EANA) over concerns about its editorial independence. In 2023, the European Union sanctioned ANPO "Dialog Regions" for its role in spreading disinformation and for operating the pro-Kremlin website War on Fakes. Ahead of Russia's 2024 presidential election, the US Treasury also sanctioned the group under Executive Order 14024, targeting individuals and entities linked to the Russian government. Does the GFCN meet global fact-checking standards? Independent fact-checking relies on transparency, verifiable sourcing, and open methodologies. Leading organizations such as the International Fact-Checking Network (IFCN) require fact-checks to cite public data and provide transparent methods that others can replicate. DW reviewed several GFCN articles and found consistent problems with sourcing and methodology. In one article titled "The Romanian Elections: How Did the West Win Only on the Second Try?" , the author cites the 2024 Eurobarometer, claiming only 22% of Romanians support aid to refugees, only 14% back the EU's actions on Ukraine, and only 13% favor Ukraine's EU candidate status. But these figures are false. DW cross-checked the data and found significantly higher levels of Romanian support for EU policies on Ukraine in the 2024 Eurobarometer, contradicting the article's core claim. Another piece alleges that the Soros family was the "shadow organizer" behind the "HANDS OFF!" protests against US President Donald Trump's second administration, which took place across the United States on April 5, 2025. The article argues that, since some organizers had previously received grants from the Open Society Foundations, the Soros family must have orchestrated the protest. That's misleading. The piece focuses narrowly on two groups — MoveOn and Indivisible — and ignores the broader coalition behind the rallies. While both organizations have indeed received funding from Open Society Foundations, the grants supported general programming, not the April 5 protests specifically. Moreover, these groups list dozens of funders, not just the Soros-backed foundation. Receiving support from Open Society Foundations doesn't prove direct involvement on the part of the Soros family, whose philanthropic work has long been targeted by conspiracy theorists. These narratives often paint Soros as a puppet master behind protests, migration, or global unrest — claims that have been widely discredited. Another GFCN article titled "Is ChatGPT Prone to Russian Propaganda?" fails to seriously engage with the question it raises. Instead, it spends most of its word count defending TASS and attacking a Norwegian media outlet that questioned the Russian agency's credibility. The article barely mentions recent investigations — such a report by NewsGuard, which DW covered — which document Russian attempts to manipulate generative AI platforms. The piece's only conclusion appears in the final paragraph, which vaguely states: "It is incorrect to give a chatbot human qualities and accuse it of 'preferring' one of the sources to the others." GFCN: Who is writing these stories? One contributor to the GFCN is Sonja van den Ende, a Dutch journalist living in Russia who has been embedded with Russian troops in Ukraine. Some Dutch media have described her as a conspiracy theorist. On X, she recently posted : "Germany is the country of knife pullers, used to be a country of beer and bratwurst, now asylum seekers, i.e. radicalized rebels from Syria, Iraq etc." Other GFCN contributors include Tim Anderson, director of the Centre for Counter Hegemonic Studies. He has called the massacre of Ukrainian civilians in Bucha a "scam" and falsely claimed that Russia's invasion of Ukraine did not involve the targeting of civilian infrastructure. Russian propaganda: Deepfake videos tougher to detect To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video A familiar Russian playbook: mimic and confuse Observers say the GFCN's name — just one letter removed from the IFCN — is no accident. The International Fact-Checking Network, founded in 2015 by the Poynter Institute, is a respected consortium of more than 150 independent fact-checkers worldwide. It trains journalists, enforces professional standards, and certifies outlets based on transparency and editorial independence. The GFCN, on the other hand, appears to follow a long-standing tactic of the Russian state: imitating legitimate institutions to blur the line between journalism and propaganda. "We do not consider their activities to fall within the professional fact-checking ecosystem," IFCN director Angie Drobnic Holan told DW, citing Russia's consistent suppression of independent journalism and reliance on state-run entities to promote its political agenda. "Professional fact-checking requires the ability to independently verify claims across the political spectrum," she said. "Journalists must be free to publish findings that contradict the government. We are highly dubious that this effort allows for that." Tommaso Canetta, a policy officer with the European Digital Media Observatory (EDMO), called the GFCN a classic case of political appropriation. "This is a tactic we've seen many times; co-opting terms with credibility, like 'fact-checking,' and stripping them of meaning," he explained. "Political actors often label partisan narratives as 'fact checks' when they clearly are not." He stressed that affiliations with networks like the IFCN or the European Fact-Checking Standards Network (EFCSN) help distinguish legitimate outlets from those engaged in manipulation. "Without such standards, we end up with initiatives — like this one from Russia — that pollute the term and muddy the waters." This article was written and edited by the DW Fact Check team.
