On May 6, authorities updated LockBit’s website, announcing they would reveal the identity of LockBit’s administrator, known as LockBitSupp. The site displayed a 24-hour countdown, creating anticipation in the cybersecurity community.
Cybersecurity Researcher Jon DiMaggio’s Suspicion
Cybersecurity researcher Jon DiMaggio, from the firm Analyst1, wondered if the authorities had identified the same person he had. For years, DiMaggio had been developing a relationship with LockBitSupp, initially pretending to be a cybercriminal and later revealing his true identity.
DiMaggio’s Relationship with LockBitSupp
DiMaggio detailed his relationship with LockBitSupp during a talk at the Def Con hacking conference in Las Vegas. He explained how he created fake personas to infiltrate the gang and gain the administrator’s trust. Over time, DiMaggio gathered critical information about LockBitSupp’s operation.
Gaining LockBitSupp’s Trust
DiMaggio’s initial attempt to join the gang was rejected, but he continued communicating with LockBitSupp, building a friendly relationship. He used humor and casual conversations to extract information about the gang’s operations, such as attack strategies and ransom negotiations.
The Turning Point: Public Exposure of DiMaggio’s Research
In January 2023, DiMaggio published a report revealing his undercover findings, effectively ending his fake personas. Surprisingly, LockBitSupp took the revelation in stride, even poking fun at DiMaggio in online forums. This playful interaction highlighted the cat-and-mouse dynamic between them.
DiMaggio’s Psychological Tactics CybersecurityÂ
In August of the previous year, DiMaggio publicly trolled LockBitSupp by jokingly demanding $10 million to stop a supposed exposé on the gang. Some cybercriminals believed the joke, illustrating DiMaggio’s psychological impact on the group. Despite the tension, LockBitSupp continued communicating with DiMaggio, even after a brief disappearance.
LockBit’s Controversial Attacks on Hospitals
LockBit’s involvement in cyberattacks on hospitals, including a children’s hospital in Chicago, deeply angered DiMaggio. He considered confronting LockBitSupp but ultimately decided against it, recognizing the importance of maintaining emotional distance from his target.
Law Enforcement Disrupts LockBit’s Operations
Law enforcement temporarily disrupted LockBit’s operations by taking down its website. This motivated DiMaggio to intensify his efforts to identify LockBitSupp. An anonymous tip aided his pursuit, leading him to a Yandex email address allegedly linked to LockBitSupp.
DiMaggio’s Breakthrough: Identifying Dmitry Khoroshev CybersecurityÂ
Using the email address as a starting point, DiMaggio eventually identified LockBitSupp as Dmitry Khoroshev. However, he was unsure until the authorities updated the seized LockBit website, confirming Khoroshev’s identity.
The Final Revelation: U.S. Department of Justice’s Accusation
As the 24-hour countdown ended, the U.S. Department of Justice officially accused Dmitry Khoroshev of being LockBit’s mastermind and administrator. DiMaggio immediately published his report, doxing Khoroshev and revealing extensive personal information.
Cybersecurity DiMaggio’s Message to Khoroshev
In a final message, DiMaggio advised Khoroshev to stop his criminal activities. Since then, DiMaggio has not heard back from Khoroshev, though there are rumors of potential retribution.
DiMaggio’s Objective: Educating Cybersecurity Researchers
By sharing his experience, DiMaggio aims to demonstrate how researchers can infiltrate cybercriminal groups and gather valuable information. However, he also warns that such activities can have serious consequences, as evidenced by the ongoing tension between him and Khoroshev.