Earlier this year, an international coalition of law enforcement agencies took control of the dark web site of the notorious ransomware gang LockBit, replacing its content with the now-familiar message from the authorities: “This site is now under the control of law enforcement.” The operation didn’t disrupt the group’s operation for too long, with the gang launching a new site shortly after the takedown.
But then, on May 6, the authorities updated LockBit’s old site page and announced that they would be revealing the identity of LockBit’s administrator. “Who is LockBitSupp?” read a box on the site, which also included a 24-hour countdown.
When cybersecurity researcher Jon DiMaggio saw the announcement, he immediately wondered: Do the cops have the same guy I have identified?
For the last couple of years, DiMaggio, who is a researcher at the cybersecurity firm Analyst1, had developed a relationship with LockBitSupp — first pretending to be a budding cybercriminal interested in joining the gang, then as himself. And, in the end, DiMaggio was able to figure out LockBitSupp’s real identity before it was publicly revealed by the authorities.
On Friday, in a talk at the hacking conference Def Con in Las Vegas, DiMaggio told the whole story of his relationship with LockBitSupp, detailing how he gained his trust using a made-up persona, and then kept the relationship going even after DiMaggio publicly revealed that he had infiltrated the gang and tricked LockBitSupp into giving up details of the operation to him.
“Our relationship had a bunch of ups and downs,” DiMaggio said during a preview of his presentation, which he gave to TechCrunch ahead of the conference.
At first, DiMaggio explained that he created a series of sockpuppet accounts to approach people who appeared to have direct relationships with LockBitSupp, as well as observe their interactions. The goal during this phase was to create a cybercriminal persona that had some sort of history and connections in the underground, which would make it easier to appear credible when reaching out directly to LockBit and its administrator.
“The important part of this was monitoring those conversations that appeared irrelevant. The ones where they had their guard down, where they were just talking s—t with other hackers. It allowed me to see the things they liked and the things they disliked. It gave me some context into their political views,” said DiMaggio. “All those things that I needed to build before I could engage because if I just went into this, and I started asking questions related to attacks and their operation, it’d be pretty obvious that I was a researcher.”
DiMaggio said his initial attempt to join the gang was rejected, but he kept talking to LockBitSupp, with whom he started to have a direct and friendly relationship. From then on, DiMaggio said he focused on LockBitSupp, cracking jokes with him, casually posing questions about details of his operation, such as questions on different elements and types of attacks, how to choose among them, how to negotiate with victims, and how to establish what’s the right ransom demand depending on the victim company.
Then, in January 2023, DiMaggio wrote a long report about his findings during his undercover research, and essentially burned all his fake cybercriminal personas. DiMaggio said he thought this would be the end of his relationship with LockBitSupp. Instead, the criminal ringleader appeared to have taken it lightly, posting in forums that he wished DiMaggio had shown him on yachts with women, enjoying his life as a high-flying cybercriminal. That, itself, was interesting to DiMaggio.
“The person that I know, while he certainly is motivated by money, he is not a flashy person, he’s not the type of person I would expect to be obsessed with material items,” said DiMaggio. “So there was a vast contrast in his demeanor and persona that he presented on these forums versus the person that I talked to one on one.”
Then, DiMaggio said that LockBitSupp started using his LinkedIn photo as their avatar in hacking forums as a way to poke fun at DiMaggio. “This was very much a cat-and-mouse game, and honestly LockBit loved playing this game with me as much as I loved playing it with them,” said DiMaggio.
At one point in early August of last year, DiMaggio decided to troll LockBitSupp in public. As a joke, he posted on X claiming he was going to release new research into the ransomware group, and that if LockBitSupp wanted to stop him, he could pay him $10 million. He made it seem like he was trying to extort the extortionists. Surprisingly, it seemed like some cybercriminals believed him, and were worried they would be exposed.
“It just goes to show from a psychological aspect, you can really f—k with these guys,” said DiMaggio. “The mental aspect of this operation went much further than anything else that I did.”
Meanwhile, DiMaggio said that LockBitSupp went offline for around twelve days. When he came back, he seemed upset, but didn’t stop communicating with him. Around the same time, LockBit claimed responsibility for a cyberattack against a community hospital that treats children in Chicago, the second attack on a hospital after the one that hit Toronto’s SickKids hospital, another facility for children.
These attacks, DiMaggio said, “really, really pissed me off.” And they almost convinced him to send an angry message to LockBitSupp, telling them to “f—k off,” and that he was coming for them. Eventually, DiMaggio said he decided against sending it, because “you cannot become emotionally invested with your target.”
Then, law enforcement took down LockBit’s website, and at least temporarily disrupted the gang’s operation. DiMaggio said he decided to focus all his efforts on identifying LockBitSupp, putting the word out in the cybercrime underground, and with other researchers, that he was going after the gang’s leader.
“At this point, LockBit knew it, the hunt was on,” said DiMaggio.
And that hunt was facilitated by an anonymous tip that someone sent DiMaggio. The tipster, DiMaggio said, gave him a Yandex email address allegedly owned by LockBitSupp. With that as a starting point, DiMaggio said he was able to unravel the mystery of LockBitSupp’s identity, leading him to someone named Dmitry Khoroshev. But as tantalizing as that finding was, DiMaggio couldn’t be completely sure.
But then, something happened that not even he expected. The authorities updated the seized LockBit website with the intention of revealing LockBitSupp’s identity. DiMaggio said that at this point he reached out to the FBI, with whom he’s had a relationship as a private industry partner, and told them he had identified Khoroshev as the LockBit’s administrator, and he planned to write a report revealing that. The goal, DiMaggio said, was to ask the FBI whether he should wait to publish his report or not.
“If they told me to wait, then there was a pretty good chance I had the right guy. If they told me to do whatever I wanted, then I probably would have still waited because that might have been because I had the wrong guy,” DiMaggio said, who added that the FBI told him to wait.
DiMaggio was on his way to the RSA cybersecurity conference in San Francisco, so “I packed my stuff, flew out to San Francisco, landed, I got to the hotel, and I spent the entire day, the entire night working and writing,” said DiMaggio. “I was writing everything I had on Dmitry. And I was going to wait for this timer to tick down. And when they published it, if we had the same guy, I was going to publish my report.”
When the 24-hour countdown struck zero, as promised, the U.S. Department of Justice accused Dmitry Khoroshev of being LockBit’s mastermind and administrator. At that point, DiMaggio could go live with his own report doxing Khoroshev.
“This was my first time doxing somebody. And well, they released his name, I released everything else on this dude. I had where he lived, I had his phone numbers, current and previous,” said DiMaggio. “And boy, it was difficult to not just call this guy up on the phone, having his legitimate phone number prior to the indictment, just to see if I had the right guy, but I didn’t.”
DiMaggio even published a message for Khorosehv, as a way to say goodbye and to tell him that he had to dox him before others did.
“LockBitSupp, you are a smart guy. You said it’s not about the money anymore, and you want to have a million victims before you stop, but sometimes you need to know when to walk away. It is that time, my old friend,” DiMaggio wrote.
“You have always been real with me, and I want to be real with you. Take your money and go enjoy your life before you end up in a situation where you can’t. Much like REvil, you have pushed things too far. It’s time to move on. I don’t hate you; I hate what you do, and I did not enjoy putting you on blast today because we have known one another for a long time. The truth is if I didn’t do this today, someone else would. I have too much respect for you as an adversary to watch you get picked apart by some clown with an OSINT handbook, which is all it would take now that your identity is known. With our history, it needed to come from me. It’s time to move on,” he wrote.
Since then, DiMaggio said, he hasn’t heard back from Khoroshev.
In talking openly about his operation, DiMaggio said he hopes to show how researchers can find out information about cybercriminals by infiltrating their groups, and not just collecting data from hacks or lurking on forums. But DiMaggio also said that he wants researchers to know that doing what he did could carry consequences, even though, for now, he has only rumors that Khoroshev would like to get retribution, though nothing has happened.
“Nobody gets out of this unscathed,” said DiMaggio, “when you go f—k with criminals like this.”
