A recent development in the cybercrime world involves the arrest and charging of Rostislav Panev, a dual Russian and Israeli national, for his alleged involvement as the developer of the notorious LockBit ransomware-as-a-service (RaaS) operation. Panev, 51, was arrested in Israel in August and is currently awaiting extradition to the United States.
According to the U.S. Department of Justice (DoJ), Panev is believed to have earned approximately $230,000 between June 2022 and February 2024 through fund transfers to a cryptocurrency wallet. U.S. Attorney Philip R. Sellinger described Panev as the mastermind behind the digital weapons that enabled the LockBit group to cause widespread havoc, resulting in billions of dollars in damages worldwide.
LockBit, known for its extensive reach and targeting of over 2,500 entities in at least 120 countries, including 1,800 in the U.S., was dismantled in February 2024 as part of an international law enforcement operation named Cronos. The RaaS operation is estimated to have generated illicit profits of at least $500 million.
Court documents revealed that Panev’s computer contained administrator credentials for an online repository on the dark web hosting source code for various versions of the LockBit builder, which affiliates used to create customized ransomware builds. Additionally, access credentials for the LockBit control panel and a tool called StealBit, used for data exfiltration prior to encryption, were also discovered.
In interviews with Israeli authorities following his arrest, Panev confessed to his involvement in coding, development, and consulting work for the LockBit group, receiving regular cryptocurrency payments for his contributions. His tasks included developing code to disable antivirus software, deploy malware across victim networks, and print the LockBit ransom note on all connected printers.
With Panev’s arrest, a total of seven LockBit members have been charged in the U.S., including Mikhail Vasiliev, Ruslan Astamirov, Artur Sungatov, Ivan Gennadievich Kondratiev, and Mikhail Pavlovich Matveev. Despite these legal setbacks, reports suggest that the LockBit operators are planning a resurgence with the release of LockBit 4.0 in February 2025, although the success of their comeback remains uncertain amidst ongoing law enforcement actions.
In a related development, Daniel Christian Hulea, a Romanian affiliate of the NetWalker ransomware operation, was sentenced to 20 years in prison for his involvement in computer fraud conspiracy and wire fraud conspiracy. Hulea admitted to obtaining ransom payments valued at $21,500,000 using NetWalker during the prosecution.
Additionally, Mark Sokolovsky, a Ukrainian national accused of developing the Raccoon Stealer malware, was sentenced to 60 months in federal prison for conspiracy to commit computer intrusion. Sokolovsky’s role in providing Raccoon as a malware-as-a-service and facilitating financial crimes through data theft led to his extradition from the Netherlands and guilty plea in October.
The arrest and sentencing of cybercriminals involved in ransomware and malware operations underscore the ongoing efforts by law enforcement agencies to combat cybercrime and hold perpetrators accountable for their actions. These cases serve as a warning to individuals engaging in illegal activities online and highlight the collaborative efforts undertaken to safeguard digital environments from malicious threats.