In the right hands — or the wrong ones — it’s the kind of sensitive information that could be used to steal a person’s identity and wreak financial havoc in their name.
But the target of this “doxxing” is allegedly one of the world’s most prolific cyber criminals, the leader of a ransomware gang so brazen it offered a million dollars to anyone who could turn up information on the real-world identity of a leader known online as “LockBitSupp”.
In the end it was authorities in the US, the country most heavily hit by his alleged crimes, who outed Dmitry Yuryevich Khoroshev, a 31-year-old Russian with crew cut and now a US$10 million (AUD$15.2 million) US government bounty hanging over his head.
Khoroshev is allegedly a leader of LockBit, an online extortion outfit blamed for nearly one in five ransomware attacks on businesses in Australia and thousands more throughout the world.
He’s made powerful enemies.
A wave of sanctions and travel bans now target him in the US, Australia and notably the UK.
The latter would imperil any wealth the accused criminal entrepreneur might choose to plunge into London property, along with the estimated 1.1 billion British pounds ($2 billion) in criminal proceedings being laundered in the city also known as “Londongrad”.
Even more provocative was the official unmasking of the alleged mastermind hacker by the US Department of Treasury’s Office of Foreign Assets Control.
Its website published the numbers of Khoroshev’s two Russian passports, his tax identification number, digital currency address, email addresses, date of birth and aliases.
“They are sensitive details that can be used to perpetrate identity crimes… particularly passport numbers that you wouldn’t expect to be released publicly,” Queensland University of Technology criminologist Cassandra Cross says.
“There’s a lot of irony in this space.”
Authorities released Khoroshev’s details knowing that LockBit had distinguished itself by disparaging cybercrime rivals in online forums.
It also pulled publicity stunts, like paying people to get LockBit tattoos.
Almost two years into LockBit’s global crime spree, the hackers became the hacked.
In February, the UK’s National Crime Agency, as part of the international Operation Cronos, took over LockBit’s own darkweb site to expose the group and announce arrests and cryptocurrency seizures.
US Treasury says the “ultimate goal of sanctions is not to punish but to bring about a positive change in behavior”.
But Clare O’Neil, Australia’s Home Affairs and Cyber Security Minister, is more upfront about the endgame.
“Cyber sanctions… are an important tool, inflicting real hurt and punishment on cyber criminals who are trying to harm our citizens,” Ms O’Neil says.
But they’re “not a magic bullet because there isn’t one”, she says.
The cybercrime boss at the Australian Federal Police, Acting Assistant Commissioner Chris Goldsmid, says it supports the “decision to publicly name Khoroshev”.
“By taking away his anonymity, it has severely undermined Khoroshev’s credibility with cyber criminals and also signals any dealings they have with him could be subject to law enforcement action.”
Local police often struggle to do more than victim support in the face of Russian cybercrime gangs like LockBit and BlackCat, who reach in from a jurisdiction where the prospect of extradition is as remote as an Arctic penal colony.
LockBit blamed for 18 percent of Australian ransomware attacks
The AFP, in league with the military spooks at the Australian Signals Directorate (ASD), says it’s working with state and territory police through 119 reported cases of Australian businesses and individuals targeted by LockBit.
These made up 18 per cent of ransomware complaints in Australia last financial year, the AFP says.
Mr Goldsmid says it’s also “used information collected to trace the global LockBit network and build the global case against the ransomware criminal group”, sharing information with overseas partners “for months”.
The US Department of Justice says LockBit has targeted more than 2,500 victims worldwide, raking in more than $US500 million ($760 million) in ransoms.
It says LockBit, which takes a cut of ransoms obtained through licensing its software to criminal associates, is responsible for attacks on organizations in critical sectors, from financial services to education, emergency services and healthcare.
LockBit is known for “double extortion tactics”, where cybercriminals extract victims’ data then encrypt their computer systems before demanding payments.
The US State Department has offered a $US10 million ($15.2 million) reward for information leading to Khoroshev’s arrest or conviction.
He’s been charged in absentia with violating US computer fraud and abuse laws.
In an unsealed indictment, prosecutors in the US allege Khoroshev “acted as the LockBit ransomware group’s developer and administrator from its inception in or around September 2019” until this month.
He allegedly reaped financial rewards from a variety of roles in the group, including managing criminal affiliates, recruiting new ransomware developers, and leading LockBit’s efforts to keep going after its hacking by law enforcement in February.
UK authorities blame LockBit for facilitating a 20-month spree of 7,000 online attacks up to February, with most victims in the US, UK, France, Germany and China.
According to the ASD, part of LockBit’s success came from making its ransomware easier to use for “those with a lower degree of technical skill”.
It also offered a “stark contrast” to criminal rivals by taking its cut after affiliates extracted their ransoms from victims, the ASD says.
Question over whether paying ransoms could breach sanctions
The Australian sanctions make it a crime to provide Khoroshev with assets, or use or deal with his assets.
The ABC asked Ms O’Neil’s office if that meant that companies or individuals in Australia could be breaking the law by paying LockBit ransoms.
Her office referred questions to the Department of Defense.
Defense referred questions to the Prime Minister’s Office.
The ABC had not received a response at time of publication.
Both the Australian government and cybercrime experts say it’s a bad idea to pay ransoms, which are no guarantee of ending an extortion ordeal.
Professor Cross says there’s “no guarantee that you will get the data back in the state that it was taken. And there’s not necessarily a guarantee that it still won’t be used against you or that you won’t be targeted for further ransoms in the future”.
But that hasn’t stopped companies quietly taking damage control into their own hands, in cases which remain closely guarded boardroom secrets.
“There are organizations globally who likely have paid ransoms for a variety of reasons,” Professor Cross says.
“There may be circumstances for individual companies depending on what type of data is lost, the impact it has on their business and their ability to recover.”
Professor Cross says the decision to release “fairly sensitive” details about Khoroshev raises a kind of conflict seen around data breaches.
“This tension between, ‘We want to protect certain citizens — but happy to expose other citizens essentially to the same potential outcomes,'” she says.
“From a victim perspective, I guess it doesn’t matter who’s perpetrating the offenses.
“At the end of the day, it’s data that’s being exposed that potentially sets people up for identity theft and fraud.”
Cyber Security Minister Ms O’Neil says that “almost all countries in the world are facing the same problems”.
“Not just generally, but specifically: the same technologies, the same actors, the same kinds of targets,” she says.
“To tackle ransomware, we have to use these deep international partnerships.”
