The UK, US, and Australia have unveiled the identity of Dmitry Khoroshev, a Russian national and the mastermind behind the previously notorious LockBit ransomware group, following a coordinated international disruption campaign led by the National Crime Agency (NCA).

Khoroshev, also known by his alias LockBitSupp, who had operated under a veil of anonymity and had placed a $10 million bounty for anyone revealing his identity, now faces sanctions imposed by the UK's Foreign, Commonwealth & Development Office (FCDO), in collaboration with the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.

These sanctions entail asset freezes and travel prohibitions. Additionally, the US has unsealed a federal indictment against Khoroshev and is offering a reward of up to $10 million for information that leads to his arrest or conviction

IntelEye analyst collected intelligence on Dmitry Yuryevich Khoroshev after his identity was revealed

After the identity reveal of Khoroshev, IntelEye's Intelligence Research team collected multiple different PIIs and other intelligence data. This investigation aims to help to appropriate authorities such asFederal Bureau of Investigation (FBI)FBI Cyber Division.

Initially, OFAC only collected a limited amount of data on the asset, hence the 10M$ reward for any information leading to his arrest. The posted details were as follows:

• dob - 17 Apr 1993
• e-mail #1 - sitedev5@yandex[.]ru
• e-mail #2 - khoroshev1@icloud[.]com
• Digital Currency Address - XBT bc1qvhnfknw852ephxyc5hm4q520zmvf9maphetc9z
• Passport #1 - 2018278055 (Russia)
• Passport #2 - 2006801524 (Russia)

Using IntelEye's intelligence capabilities, our team was able to gathering the following data:

Owned e-mails

• khoroshev1@icloud[.]com - OFAC
• sitedev5@yandex[.]ru - OFAC
• d.horoshev@gmail[.]com - NEW Intel
• 3k@xakep[.]ru - NEW Intel
• pin@darktower[.]su - NEW Intel
• khoroshev.d@gmail[.]com - NEW Intel
  

Owned Phone Numbers

• +79521020220 (Russia)
• +79673415167 (Russia)
• +74732414824 (Kazakhstan)
• +79518539388 (Russia)

Related Addresses

• Voronezh, Bakuninsky lane, 13 (Russia)
• Voronezh, Shishkova street, 72/5.2 (Russia)
• Voronezh, Sacco and Vanzetti street, 78A, 3, 3005, "The entrance will be on the left, after the metal door and stairs” (Russia)
• Voronezh, st. Ostuzheva, 28 (Russia)
• Voronezh region, Voronezh, 394044, Kaliningradskaya st., 108, apt. 61 (Russia)
  

Social Accounts

• VK - d_khororshev - ID 622984899
• VK – Legenden Ghost - ID 93632204
• https://www.twitter[.]com/pioneer_3D
• https://www.youtube[.]com/channel/UC-QEePAiFI8nXpEaYEmn5GA

Aliases/Usernames

• LockBitSupp
• d_khororshev
• pioneer_3D
• anakonda66
• Dima
• Blackenergy
• blowup
• pony1
• Nerowolf/nerowolfe
• Legenden Ghost
  

Used IP Addresses

• 80.82.46.194
• 95.32.79.153

Additionally his phone number [+79521020220] was saved under the following names:

Names used to save Dimitri's phone number

Names used to save Dimitri's phone number

With the newly collected PIIs, the research team discovered additional Social Media accounts belonging to LockBitSupp. Here is a sample:

VK Account

Twitter Account

YouTube Account

Drupal Account

Case Graph for the LockBitSupp Investigation