Lockbit Ransomware Developer Extradited to the United States

Rostislav Panev, an Israeli and Russian national, has been extradited to the United States

Author

Rob Waters
March 15, 2025 • ⏱️ Reading Time: 8 minutes

In partnership with

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

Alleged LockBit Ransomware Developer Rostislav Panev Extradited to the U.S. in Major Cybersecurity Crackdown

In a significant victory for international law enforcement, Rotislav Panev, the alleged developer of the notorious LockBit ransomware group, has been extradited from Israel to the United States to face trial. The U.S. Department of Justice (DOJ) announced the extradition of Panev, a 51-year-old dual Russian and Israeli national, signaling a continued commitment to dismantle ransomware operations that have caused billions of dollars in losses worldwide.

Panev was initially arrested in Israel in August 2024 following a U.S. provisional arrest request. After his extradition, he made an initial court appearance before U.S. Magistrate Judge André M. Espinosa in Newark, New Jersey, and has been detained pending trial.

U.S. Attorney John Giordano emphasized the significance of this extradition, stating, “Rostislav Panev’s extradition to the District of New Jersey makes it clear: if you are a member of the LockBit ransomware conspiracy, the United States will find you and bring you to justice.”

He further highlighted the unwavering commitment of his office, the FBI, and international partners to prosecuting cybercriminals despite the increasing sophistication of their methods.

Rotislav Panev in an undated picture shared on X. He is charged as a developer of the notorious LockBit ransomware group, helping extort over $500 million from victims

Rotislav Panev in an undated picture shared on X. He is charged as a developer of the notorious LockBit ransomware group, helping extort over $500 million from victims.

Panev aided LockBit ransomware group growth, extorting over $500 million from victims

According to court documents and statements, Panev allegedly served as a developer for the LockBit ransomware group from its inception around 2019 through at least February 2024. During this period, LockBit became one of the most active and destructive ransomware groups globally.

Even after a period of reduced activity following law enforcement disruption in February 2024, the group is linked to over 2,700 victims, triple the number of the next most active group.

The DOJ stated that the LockBit group claimed responsibility for attacks on over 2,500 victims across at least 120 countries, including approximately 1,800 in the U.S. Victims ranged from individuals and small businesses to multinational corporations, including critical infrastructure like hospitals, schools, and government agencies.

Notable victims of the LockBit ransomware group include Chinese Bank ICBC, ION Group investments, and the Housing Authority of the City of Los Angeles.

LockBit is estimated to have extracted at least $500 million in ransom payments and caused billions of dollars in other losses.

Panev profited from LockBit infrastructure and affiliate business model

The LockBit operation involved two roles: developers like Panev, who designed the malware code and maintained the operational infrastructure, and affiliates, who carried out the attacks and extorted victims. Ransom payments were then split between these two groups.

Evidence cited in the superseding complaint against Panev reveals that law enforcement discovered administrator credentials on his computer for a dark web-hosted online repository at the time of his arrest.

This repository contained source code for multiple LockBit builder versions, allowing affiliates to create custom versions of the ransomware for specific victims. Investigators also found the source code for LockBit’s StealBit tool, which is used for data exfiltration, and access credentials for the LockBit control panel maintained by the developers for the affiliates.

The complaint further alleges that Panev engaged in direct messages on a cybercriminal forum with LockBit’s primary administrator, identified by the U.S. as Dimitry Yuryevich Khoroshev, also known as LockBitSupp. These messages reportedly discussed tasks related to the LockBit builder and control panel.

Between June 2022 and February 2024, the primary LockBit administrator allegedly transferred approximately $10,000 per month in cryptocurrency to a wallet owned by Panev, totaling over $230,000 during that period. These funds were allegedly laundered through illicit cryptocurrency mixing or “washing” services designed to obfuscate cryptocurrency transactions and wallet tracing.

Panev’s downfall: confessing to Israeli authorities

Following his arrest, Panev reportedly admitted to Israeli authorities that he performed coding, development, and consulting work for the LockBit group and received regular cryptocurrency payments, consistent with the transfers identified by U.S. authorities.

His alleged work included developing code to disable antivirus software, deploy malware across victim networks, and print the LockBit ransom note on all connected printers. He also admitted to writing and maintaining LockBit malware code and providing technical guidance.

The extradition of Panev follows significant disruption efforts against the LockBit ransomware group in February 2024, led by the U.K. National Crime Agency (NCA) in cooperation with the DOJ, FBI, and international partners. This operation involved seizing LockBit’s public-facing websites and disrupting their infrastructure.

To date, seven LockBit members have been charged in the District of New Jersey. Besides Panev and Khoroshev, who remains at large, others charged include affiliates Mikhail Vasiliev and Ruslan Astamirov, who have pleaded guilty and are awaiting sentencing, and Artur Sungatov and Ivan Kondratyev, who also remain at large. Mikhail Matveev, another alleged affiliate, remains at large as well.

The U.S. Department of State is offering rewards of up to $10 million for information leading to the arrest and/or conviction of Khoroshev and Matveev and for information leading to the identification and location of individuals in key leadership positions within LockBit. A reward of up to $5 million is offered for information leading to the arrest and/or conviction of any individual participating in LockBit.

Are you a victim of LockBit ransomware?

Law enforcement encourages all past victims of LockBit to contact the FBI and submit information at www.ic3.gov. Due to the disruption efforts, decryption capabilities have been developed that may help hundreds of victims restore their encrypted systems.

Victims are also encouraged to visit www.justice.gov/usao-nj/lockbit for case updates and information regarding their rights.

Today’s Cyber Social Wall of Shame

It's not a good day when you’re the top news the FBI shares.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog


P.S. - Do you want to start a newsletter yourself?
You can with beehiiv. Create one today with a free trial.
Disclaimer: The Breach Report may contain affiliate links. Read our Advertising policy page.

Reply

or to participate.