US authorities have extradited a dual Russian and Israeli national on charges of being a developer of the notorious LockBit ransomware.
Rostislav Panev, aged 51, has been extradited from Israel, where he was arrested in August 2024 pursuant to a US provisional arrest request. He has had an initial appearance before a US magistrate before being detained pending trial.
Panev is accused of acting as a developer of the LockBit ransomware from its inception in or around 2019 through to at least February 2024.
“During that time, Panev and his LockBit coconspirators grew LockBit into what was, at times, the most active and destructive ransomware group in the world,” the Department of Justice (DoJ) said in court documents.
US authorities believe the Russia-based ransomware-as-a-service (RaaS) group attacked more than 2500 victims in at least 120 countries around the world including 1800 in the US. Victims have included critical services, such as hospitals, schools and government agencies.
LockBit operators and affiliates have extracted at least $500m in ransom payments from their victims, as well as causing billions of dollars in lost revenue and response and recovery costs, according to the DoJ.
Key LockBit infrastructure was taken down by law enforcement during Operation Cronos in February 2024, significantly diminishing the group’s capabilities.
The group has since pivoted and released new versions of the ransomware to continue attacks against organizations.
The complaint against Panev follows charges brought against other LockBit members by the US. This includes its alleged primary creator, developer, and administrator, Dmitry Yuryevich Khoroshev.
US authorities have offered a reward of up to $10m for information that leads to Khoroshev’s arrest and/or conviction.
LockBit Source Code Discovery
The complaint against Panev alleges that law enforcement discovered administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder on his computer.
These credentials allowed LockBit’s affiliates to generate custom builds of the LockBit ransomware malware.
On the online repository, law enforcement also allegedly discovered source code for LockBit’s StealBit tool, which helped LockBit affiliates exfiltrate data stolen through LockBit attacks.
Additionally, the compliant alleges that Panev exchanged direct messages through a cybercriminal forum with LockBit’s primary administrator, Khoroshev.
In those messages, Panev and Khoroshev discussed work that needed to be done on the LockBit builder and control panel.
The court documents further indicate that, between June 2022 and February 2024, Khoroshev made a series of cryptocurrency transfers to wallets owned by Panev. Those transfers amounted to over $230,000 during that period.
In interviews with Israeli authorities, Panev has purportedly admitted to having performed coding, development and consulting work for the LockBit group and to having received regular payments in cryptocurrency for that work.
