Australia unmasks, bans prolific Russian cybercriminal

The leader of one of the world's most infamous cybercrime organisations has been named and sanctioned by Australia, the UK and the US.

Russian citizen Dmitry Yuryevich Khoroshev was identified as having held a senior leadership role at LockBit, a group that provides ransomware to bad actors.

A joint campaign between the UK, the US and Australia found Mr Khoroshev had hidden behind the "LockBitSupp" alias since the group's inception about September 2019 and acted as its developer and administrator until May.

Naming the Russian citizen could prevent further crimes, Australian Federal Police acting assistant commissioner Chris Goldsmid said.

"By taking away his anonymity, it has severely undermined Khoroshev's credibility with cyber criminals and also signals any dealings they have with him could be subject to law enforcement action," he said in a statement on Wednesday.

Foreign Minister Penny Wong also revealed Australia had banned Mr Khoroshev from travelling to Australia and imposed sanctions that would make it a criminal offence to provide assets to him, or to use or deal with his assets.

"Australia remains committed to promoting a rules-based cyberspace, grounded in international law and norms of responsible behaviour, and holding accountable those who flout the rules," she said.

Those who pay for LockBit's services can use them to block access to essential functions or steal and leak data, forcing victims to pay a ransom.

LockBit was behind 18 per cent of reported Australian ransomware incidents in 2022-23 and targeted 119 people in Australia.

Home Affairs Minister Clare O'Neil said the government's announcement would deter malicious cyber activity.

"For too long, criminals like those behind LockBit have hidden in the shadows," she said.

"The damage done by LockBit in Australia is significant.

"This sanction is an important step in breaking the ransomware business model, preventing cybercriminals from profiting from attacks on Australian citizens and businesses."

UK authorities say more than 7000 online attacks were built using LockBit's services between June 2022 and February 2024, with the top five countries hit being the US, UK, France, Germany and China.

Law enforcement agencies from several countries first disrupted LockBit in February, taking over the group's dark web site to host articles which exposed actions taken against the cybercrime gang.

Its profits have also been frozen, with various law enforcement targeting more than 200 cryptocurrency accounts held by LockBit members.

Investigations into LockBit are ongoing.

This is the second time Australia's cyber sanctions network has been used after the government imposed sanctions against Alexander Ermakov, who was responsible for a cyber attack on Medibank that affected nearly 10 million Australians.