Ransomware Developer Extradited, Admits Working for LockBit

![Picture of Kristina Beek, Associate Editor, Dark Reading](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2248772495e9caeb/64f17d73018a7c55e8822fc1/KristinaB.jpg?width=100&auto=webp&quality=80&disable=upscale ‘Picture of Kristina Beek, Associate Editor, Dark Reading’) [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)March 14, 2025 2 Min Read ![A mobile phone with the Lockbit website placed on a computer keyboard with the seized leak site on the screen](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltd83ce495afe24c67/67d477dba026fa04821828d9/lockbit1800_ANP_alamy.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale ‘A mobile phone with the Lockbit website placed on a computer keyboard with the seized leak site on the screen’) Source: ANP via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/lockbit-developer-extradited-admits-working-ransomware-group)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/lockbit-developer-extradited-admits-working-ransomware-group)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/lockbit-developer-extradited-admits-working-ransomware-group)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/lockbit-developer-extradited-admits-working-ransomware-group&title=Ransomware%20Developer%20Extradited%2C%20Admits%20Working%20for%20LockBit)[](mailto:?subject=Ransomware Developer Extradited, Admits Working for LockBit&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Ransomware%20Developer%20Extradited%2C%20Admits%20Working%20for%20LockBit%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Flockbit-developer-extradited-admits-working-ransomware-group) NEWS BRIEFA dual Russian-Israeli citizen working as one of [LockBit ransomware group’s lead developers](https://www.darkreading.com/cyberattacks-data-breaches/lockbit-ransomware-developer-arrested-israel) has been extradited from Israel to the US. Rostislav Panev, 51, was arrested in 2023 and had his first US court appearance on March 14.According to the complaint against him, Panev was a developer for [LockBit ransomware group](https://www.darkreading.com/threat-intelligence/lockbit-associates-arrested-evil-corp-bigwig-outed) from 2019 to at least February 2024. The ransomware group attacked more than 2,500 victims in 120 countries, 1,800 of them in the US. Victims ranged from individuals to small businesses and even multinational corporations that included nonprofit organizations, educational institutions, hospitals, and critical infrastructure. In targeting them, LockBit was able to garner at least $500 million in ransom payments and cause billions of dollars in losses. Law enforcement discovered Panev’s computer administrator credentials at the time of his arrest. The credentials were for an online repository that was hosted on the Dark Web and stored source code for multiple versions of the LockBit builder. Law enforcement also discovered source code for LockBit’s StealBit tool, which allowed [LockBit affiliates](https://www.darkreading.com/cyberattacks-data-breaches/actor-tied-lockbit-ransomware-targets-fortinet-users) to exfiltrate stolen data. Panev allegedly exchanged messages through a cybercriminal forum with LockBit’s primary administrator, Dmitry Yuryevich Khoroshev, where they discussed the work that needed to be done on the LockBit builder and control panel, according to the complaint filed against Panev.Related:[Threat Actor Tied to LockBit Ransomware Targets Fortinet Users](/cyberattacks-data-breaches/actor-tied-lockbit-ransomware-targets-fortinet-users)In addition, court documents indicate that between June 2022 and February 2024, Khoroshev made a series of cryptocurrency transfers to Panev, totaling more $230,000. [Panev admitted](https://www.justice.gov/usao-nj/pr/dual-russian-and-israeli-national-extradited-united-states-his-role-lockbit-ransomware) in interviews with Israeli authorities to having performed coding development and consulting work for the LockBit group while receiving regular payments in cryptocurrency for that work.There is currently a reward of up to $10 million through the US Department of State’s Transnational Organized Crime (TOC) Rewards Program for information on Khoroshev that leads to his arrest or conviction in any country, as well as rewards for other key members of the LockBit ransomware group. Read more about:[News Briefs](/keyword/news-briefs) [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/lockbit-developer-extradited-admits-working-ransomware-group)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/lockbit-developer-extradited-admits-working-ransomware-group)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/lockbit-developer-extradited-admits-working-ransomware-group)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/lockbit-developer-extradited-admits-working-ransomware-group&title=Ransomware%20Developer%20Extradited%2C%20Admits%20Working%20for%20LockBit)[](mailto:?subject=Ransomware Developer Extradited, Admits Working for LockBit&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Ransomware%20Developer%20Extradited%2C%20Admits%20Working%20for%20LockBit%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Flockbit-developer-extradited-admits-working-ransomware-group) About the Author—————-![Kristina Beek, Associate Editor, Dark Reading](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2248772495e9caeb/64f17d73018a7c55e8822fc1/KristinaB.jpg?width=400&auto=webp&quality=80&disable=upscale ‘Kristina Beek, Associate Editor, Dark Reading’) [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)
Skilled writer and editor covering cybersecurity for Dark Reading. [See more from Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi) More Insights Webinars* [DR, SIEM, SOAR, and MORE: How to Determine the Right Endpoint Strategy for Your Enterprise](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&pc=w_defa7753&ch=SBX&cid=_upcoming_webinars_8.500001526&_mc=_upcoming_webinars_8.500001526)Mar 19, 2025* [What is the Right Role for Identity and Access Management in Your Enterprise?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_dels15&ch=SBX&cid=_upcoming_webinars_8.500001529&_mc=_upcoming_webinars_8.500001529)Mar 26, 2025* [Today’s Top Cloud Security Threats](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_wiza63&ch=SBX&cid=_upcoming_webinars_8.500001530&_mc=_upcoming_webinars_8.500001530)Apr 1, 2025* [Memory Safety -& Exploit Management: Real-World Attacks -& Defenses](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7921&ch=SBX&cid=_upcoming_webinars_8.500001534&_mc=_upcoming_webinars_8.500001534)Apr 3, 2025* [Unifying Cloud Security: A Blueprint for Modern Threat Resilience](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo270&ch=SBX&cid=_upcoming_webinars_8.500001533&_mc=_upcoming_webinars_8.500001533)Apr 4, 2025[More Webinars](/resources?types=Webinar) Events* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025* [-[Conference-] Black Hat Asia – April 1-4 – Learn More](https://www.blackhat.com/asia-25/?_mc=we_bhas25_drcuration&cid=_session_16.500329)Apr 1, 2025* [-[Dark Reading Virtual Event-] Cybersecurity’s Most Promising New and Emerging Technologies](https://ve.informaengage.com/virtual-events/cybersecuritys-most-promising-new-and-emerging-technologies/?ch=SBX&cid=_session_16.500328&_mc=_session_16.500328)Mar 20, 2025[More Events](/events)You May Also Like*** ** * ** ***[Cyberattacks -& Data BreachesChina’s Volt Typhoon Exploits Zero-Day in Versa’s SD-WAN Director Servers](https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers) [Cyberattacks -& Data BreachesToyota Customer, Employee Data Leaked in Confirmed Data Breach](https://www.darkreading.com/cyberattacks-data-breaches/toyota-customer-employee-data-leaks-in-confirmed-data-breach) [Cyberattacks -& Data BreachesIran Reportedly Grapples With Major Cyberattack on Banking Systems](https://www.darkreading.com/cyberattacks-data-breaches/iran-reportedly-grapples-with-major-cyberattack-on-banking-systems) [Cyberattacks -& Data BreachesAligning Breaches With MITRE ATT-&CK Threat Model](https://www.darkreading.com/cyberattacks-data-breaches/aligning-breaches-with-mitre-att-ck-threat-model)

Related Tags:
DEV-0391

UNC3236

Voltzite

Vanguard Panda

NAICS: 236 – Construction Of Buildings

NAICS: 551 – Management Of Companies And Enterprises

NAICS: 55 – Management Of Companies And Enterprises

NAICS: 23 – Construction

NAICS: 61 – Educational Services

Associated Indicators:

Threat Intel Solutions

Ransomware Developer Extradited, Admits Working for LockBit

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us