Fraud Management & Cybercrime , Ransomware

Operation Cronos Again Threatens to Reveal LockBitSupp

International Police Operation Revives Seized LockBit Dark Web Leak Site
Operation Cronos Again Threatens to Reveal LockBitSupp
A snapshot of the LockBit leak site seized by Operation Cronos on May 6, 2024 (Image: ISMG)

Police behind an international law enforcement operation targeting LockBit resurrected the leak site they seized earlier this year from the ransomware-as-a-service group and posted a countdown clock suggesting they will reveal the identity of LockBitSupp, the group's leader.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

Police from the United Kingdom, the United States and Europe in a February action dubbed Operation Cronos seized more than 35 LockBit servers and replaced the group's then-dark web leak page with a seizure notice and links touting the takedown (see: Arrests and Indictments in LockBit Crackdown).

Officials behind Operation Cronos at the time heavily suggested they would release the identity of LockBitSupp and posted a countdown timer mimicking ransomware pressure tactics with the heading "Who is LockBitSupp?" In the end, police didn't post an identity, but instead said, "We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with Law Enforcement :)" (see: No Big Reveal: Cops Don't Unmask LockBit's LockBitSupp).

A new countdown clock set to expire May 7, 14:00 UTC on the resurrected leak site suggests this time police really do intend to reveal LockBitSupp's identity - although neither the U.K. National Crime Agency nor the FBI in the United States responded to a request for comment.

Malware researcher vx-underground said on Twitter that they spoke with LockBit ransomware group administrative staff regarding the return of the old domain and new messages from Operation Cronos.

"Lockbit ransomware group states law enforcement is lying. Lockbit also said and quote: "I don't understand why they're putting on this little show. They're clearly upset we continue to work."

The group reestablished a dark web presence within a week and posted a lengthy screed authored by its leader, who vowed not to retreat from the criminal underground.

LockBit on Monday posted on its leak site what appear to be a half-dozen new victims.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.