The National Crime Agency (NCA) and its partner agencies have teased limited details of the identity of LockBit’s public face, LockBitSupp, via the gang’s dark web leak site, which it took control of earlier this week in an apparently successful takedown of the notorious ransomware gang, dubbed Operation Cronos.
In an update which was delayed several hours, having been trailed for days with a countdown timer – in similar fashion to how gangs like LockBit taunted their victims to pay up or have their data leaked – the agencies posted an update to the site earlier today (Friday 23 January).
Although the NCA stopped short of naming LockBitSupp outright, its update debunked previous claims made by LockBitSupp that he lived in the Netherlands or the United States, and that he drove a Lamborghini.
“He drives a Mercedes,” the update read, “though parts may be hard to source.”
“We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with law enforcement,” they added.
The tone and style of the update, reminiscent of the tactics of internet trolls and invoking imagery of cartoon cats, has clearly been designed to rattle LockBit crew members and affiliates who remain at large, and is notable as much for what it doesn’t say as what it does.
If LockBitSupp is indeed having difficulty sourcing spare parts for a Mercedes, there may be an implication he is located in Russia, a market the carmaker exited following the invasion of Ukraine. The hint that LockBitSupp had engaged with law enforcement could suggest that this individual had cooperated with the takedown in some way.
It is already known that the individual was kicked off a number of cyber criminal forums earlier in 2024, and according to Trend Micro research, the gang had been struggling to recapture its former status after a series of setbacks, including the leaking of its codebase by an angry developer.
In a paper published January 2023, Analyst1 chief security strategist Jon DiMaggio wrote that based on months of human intelligence gathering, he assessed it was likely that LockBitSupp may be two people, the gang leader and another core member of the group.
Based on his interactions with the ransomware operators, DiMaggio has painted a picture of an insecure and egotistic individual at the helm of LockBit.
His extensive research also firmed up links between LockBitSupp and other high-profile crews of the early 2020s, including REvil/Sodinokibi, Conti, BlackMatter and ALPHV/BlackCat among others.
Billion-dollar operation
Meanwhile, the NCA has also disclosed more details of its analysis of LockBit’s payment infrastructure. It said it had seized 30,000 bitcoin addresses from the gang’s systems, 500 active ones receiving toward £100m (at today’s prices). Further analysis has also uncovered 2,200 unspent bitcoins, representing funds of over £90m.
The NCA said that the receiving exposure of the analysed addresses represented the period from July 2022 and discounted over two years of LockBit’s crime spree, and noted that a high percentage of the addresses represented the fees affiliates paid to LockBit, the actual ransom totals would be “far, far higher”, and the impact on businesses correspondingly more massive.
Given there have been in excess of 2,000 confirmed LockBit attacks, it is not unthinkable that the gang could have netted multibillion-dollar sums.