UK Police Seize 200 LockBit Cryptocurrency Wallets

The UK’s National Crime Agency has revealed details of an operation to seize servers belonging to the hacker group LockBit.

Authorities have detained two members of the organisation in Poland and Ukraine. They are accused of conducting ransomware attacks and are currently under arrest, with future court appearances in the US pending.

Charges have also been filed against two Russian nationals, Artur Sungatov and Ivan Kondratyev, who distributed the ransomware. The OFAC has blocked ten of their cryptocurrency wallets, which were held on exchanges including Binance and KuCoin.

In total, more than 200 cryptocurrency addresses linked to LockBit have been frozen.

A reward of $10 million has been offered for information on the identity and whereabouts of the group member known as LockBitSupp.

Authorities have seized 34 LockBit servers, infiltrated the administrative environment of the affiliate network, and accessed the platform’s source code. They also managed to seize over 1,000 encryption keys.

The keys have been handed over to the Japanese national police, who have developed a tool for decrypting files on Windows systems.

The LockBit leak site now displays links with the results of Operation Cronos.

Experts debate whether a vulnerability in PHP was the main reason for the server breach, though they do not rule out the possibility.

I’d be very surprised if it was not exploitable. The biggest difficulty are the preconditions (file upload, directory listing routine with controlled path prefix), but they are not so unlikely.

— Charles Fol (@cfreal_) February 20, 2024

The operation to completely halt the activities of the LockBit group and its affiliates is ongoing.

In February, it was reported that part of the ransomware’s infrastructure had been seized. Over its four-year existence, the malware operators have stolen more than $120 million from over 2,300 victims.