A man with dual Russian and Israeli citizenship has been accused in the United States of being the mastermind behind the now-defunct LockBit ransomware-as-a-service (RaaS) operation from its beginning in 2019 until at least February 2024.
Rostislav Panev, 51, was apprehended in Israel in August and is currently awaiting extradition, as stated by the U.S. Department of Justice (DoJ). He allegedly made around $230,000 between June 2022 and February 2024 through fund transfers to a cryptocurrency wallet owned by him.
“Rostislav Panev spent years creating and maintaining the digital tools that allowed his LockBit accomplices to cause chaos and incur billions of dollars in damages worldwide,” said U.S. Attorney Philip R. Sellinger.
LockBit, a notorious ransomware group, had its infrastructure seized in February 2024 in an international operation called Cronos. The group is infamous for targeting over 2,500 entities in at least 120 countries, including 1,800 in the U.S.
Victims of LockBit’s attacks ranged from individuals and small businesses to large corporations, including hospitals, schools, non-profits, critical infrastructure, government agencies, and law enforcement. The group is believed to have made at least $500 million in illegal profits.
Court documents revealed that Panev’s computer had administrator credentials for an online repository on the dark web containing source code for various versions of the LockBit builder. The builder was used by affiliates to create customized ransomware builds. Additionally, access credentials for the LockBit control panel and a tool called StealBit were found, allowing affiliates to steal data before encrypting it.
Panev not only developed and maintained the LockBit malware code but also provided technical guidance to the criminal group. He was in direct communication with Dmitry Yuryevich Khoroshev, the primary administrator known as LockBitSupp, discussing development tasks related to the builder and control panel.
Following his arrest, Panev confessed to coding, developing, and advising the LockBit group, receiving regular cryptocurrency payments for his services. His work included creating code to disable antivirus software, deploy malware across victim networks, and print ransom notes on all connected printers.
With Panev’s arrest, a total of seven LockBit members, including Mikhail Vasiliev, Ruslan Astamirov, Artur Sungatov, Ivan Gennadievich Kondratiev, and Mikhail Pavlovich Matveev, have been charged in the U.S.
Despite these legal actions, the LockBit operators are reportedly planning a comeback with the release of LockBit 4.0 in February 2025. It remains to be seen if the group can successfully resume its operations amid ongoing law enforcement crackdowns.
Second Netwalker Ransomware Affiliate Receives 20-Year Prison Sentence
In a separate development, Daniel Christian Hulea, a 30-year-old Romanian affiliate of the NetWalker ransomware operation, was sentenced to 20 years in prison and ordered to forfeit $21,500,000, along with his interests in an Indonesian company and a luxury resort property. Hulea pleaded guilty to computer fraud conspiracy and wire fraud conspiracy in June 2024.
NetWalker, known for targeting the healthcare sector during the COVID-19 pandemic, was dismantled in January 2021 when U.S. and Bulgarian authorities shut down its dark web sites. In October 2022, a Canadian affiliate, Sebastien Vachon-Desjardins, was also sentenced to 20 years in prison.
Raccoon Stealer Developer Sentenced to 5 Years in Prison
In another legal development, Mark Sokolovsky, a Ukrainian national accused of being the primary developer of the Raccoon Stealer malware, was sentenced to 60 months in federal prison for conspiracy to commit computer intrusion.
Sokolovsky conspired to offer Raccoon Stealer as a malware-as-a-service for $200 a month, enabling other criminals to deploy the malware through methods like email phishing to steal sensitive data. The harvested information was used for financial crimes or sold on underground forums.
Extradited from the Netherlands in February 2024, Sokolovsky pleaded guilty to the charges in October and agreed to forfeit funds and pay restitution. His actions were described as part of an international criminal conspiracy that victimized countless individuals by facilitating cybercrimes.
The FBI has established a website where users can check if their email addresses were compromised by the Raccoon stealer malware. The MaaS operation was shut down in March 2022 following Sokolovsky’s arrest.
NYC Man Sentenced for Credit Card Trafficking and Money Laundering
In a separate case, a 32-year-old New York City man, Vitalii Antonenko, was sentenced to time served plus days for participating in a criminal scheme that used SQL injection attacks to steal credit card and personal information. The data was sold on online criminal marketplaces, with proceeds laundered through Bitcoin, bank transactions, and cash to conceal their origin.
Antonenko was arrested in March 2019 upon returning to the U.S. from Ukraine carrying devices containing stolen payment card numbers. He pleaded guilty to charges of conspiracy to gain unauthorized access to computer networks, trafficking in unauthorized access devices, and money laundering conspiracy.