Hacker News new | past | comments | ask | show | jobs | submit login
How did authorities identify the alleged LockBit boss? (krebsonsecurity.com)
147 points by todsacerdoti 8 days ago | hide | past | favorite | 84 comments

Note that the headline is a question and the article doesn't describe how he was found.

I'd guess that it was as a result of tracing and following the money from information retrieved after the LockBit infrastructure was compromised earlier in the year:


It's likely that UKUSA intelligence assets in Eastern Europe were able to draw a bead on him as the result of increased attention paid to the region over the last two years, and the fact that he's been really successful at making himself known to Western cybersecurity professionals.

That being said, sanctions and polite extradition requests have to have the Russians laughing at this point. These people are waging warfare against critical infrastructure in the US and its allied nations. It's time we take actions that can be counted on to discourage the technically-gifted in Russia from hacking for their government.

What kind of action would you propose?

We have quite a few intelligence assets in the area.

…so you propose killing these people?

Hilary Clinton had the right ideas

Sounds like you are proposing to hit a civilian in a civilian area with missiles carried by a drone. Do I hear you right?

What will you demand to be done when they whack us back?

I don't think a drone attack is necessarily the ideal solution but a "civilian" that shuts down a hospital is a terrorist if they did it on their own and an enemy combatant if they got help from their state.

How is ransoming a hospital's IT terrorism?

The American Heritage dictionary defines terrorism as:

> The use of violence or the threat of violence, especially against civilians, in the pursuit of political goals.

The FBI has two definitions:

> International terrorism: Violent, criminal acts committed by individuals and/or groups who are inspired by, or associated with, designated foreign terrorist organizations or nations (state-sponsored).

> Domestic terrorism: Violent, criminal acts committed by individuals and/or groups to further ideological goals stemming from domestic influences, such as those of a political, religious, social, racial, or environmental nature.

Where's the pursuit of an ideological goal? These guys are ransomwaring whoever has money and bad security, right? Seems like equal opportunity extortion, rather than terrorism to me.

If your family member were to be killed by a medical mishap resulting from unavailability or corruption of EMR data, you might feel differently.

I don't see how that would make me feel like it was terrorism?

Terrorism isn't just things I don't like. If a group is ransoming whatever IT systems they can, for the purposes of gaining money, it just doesn't feel like terrorism to me. Unless there's some evidence otherwise, it's just extortion.

I don't like extortion, and if I suffered acute harm due to extortion, I'd be more upset, but I still wouldn't try to claim extortion is terrorism.

It's different if the ransomers are demanding that the invasion of Musicland by Bookland be stopped, and targeting infrastructure as way to get their message out, and using ransoms to help the plight of the Musicians.

> I don't like extortion, and if I suffered acute harm due to extortion, I'd be more upset, but I still wouldn't try to claim extortion is terrorism.

That makes you an outlier.

IANAL, but in a number of jurisdictions under common law (including the United States), when a person is killed - in this example, a patient dying because of EMR corruption/unavailability - in the commission of another crime - extortion - it is considered murder under the felony murder doctrine[0].

Now, again, IANAL and the minds of judges and jurors are fickle, but it seems to me if you could prove a relationship between "Guy in Russia locks a Cerner Millennium or Epic Systems database" and "Patient who was in the hospital died because information in database could not be accessed", you could possibly convict them of murder even though they only wanted money out of it, because you could potentially convince the court that as a hacker, the person in Russia should have known that this would necessarily bring about the risk of patient harm. After all, isn't that what makes the EMR worth encrypting to them?

It's also worth noting that terrorist organizations routinely take people hostage to extract ransoms that then get used to finance their operations. The fact that the terrorist organization in this case is likely to be the Russian SVR is immaterial. They are a government under a ton of sanctions and are looking to replenish funds however they can. Cryptocurrency is incredibly useful if you're looking to evade international sanctions.


Sure, it could be murder, that still doesn't make it terrorism. Extortion leading to murder isn't terrorism. If it's coming at the direction or for the benefit of Russia, perhaps it could be espionage or sabotage, but I still don't think it's terrorism. IMHO, Russia is waging a war of aggression / conquest, quite possibly outside the rules of war and international law, but that doesn't really feel like terrorism either.

Offtopic, I also kind of wonder when it becomes murder for the health systems to not protect their IT, but I'm not trying to deflect; that's a question for some other thread.

Can you cite how it's not legally terrorism?

I'm not familiar with all the laws against terrorism, but let's go with this one [1]?

It's not international terrorism (1), because it meets clause A, but not B or C.

It's not domestic terrorism (5), because it meets clause A and C, but not B.

Clause B is the same for both

> B) appear to be intended— (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping;

Ransomware doesn't appear to be intended to do any of those things to me.

Do you have a reference that says this is terrorism?

[1] https://www.law.cornell.edu/uscode/text/18/2331

The guy provided his ransomware as a service. The malware was probably spread by westerners. So he's not the one who shut down a hospital.

You're defending "Terrorism as a Service"

Supplying arms to terrorists is also a crime.

The thing is you start out with knowing what this person did and you reason from that if it is ok to kill him.

But if you whack him what the international public would see is an american missile in a smouldering crater in some civilian suburb. That is an act of war. And not the shadowy kind which is already happening. That forces the Russians to also react in kind (otherwise they look weak.)

The Russians would also work hard to spread misinformation about what you did. They would say you got the wrong person, or that you got innocent bystanders. Probably both. They would also say it was an extrajudicial killing where the executive played judge, jurry, and executioner in one. And you know what? They would be right.

And even if everyone agrees that you got the right person, and he was a bad one, and there was no collateral damage in your initial attack it can still lead to innocent deaths. Let me tell you about Ukraine International Airlines Flight 752 [1]. What happened is that the US assasinated Major General Qasem Soleimani. Undeniably a military target. Arguably a bad one. Iran in retaliation lobbed some ballistic missiles to a US base. Due to luck nobody died there. All is well, isn’t it? No, not really. The iranian air defence following their retaliation was understandably on full alert. Somebody panicked and mistook a civilian airliner for an incoming american cruise missile and shot them down. 176 innocent civilians are now dead. It is a tragedy.

Did the US killed those 176 civilians? No they didn’t. The proximal fault lies with the panicking Iranian air defences. But these are the kind of forces you are playing when you are talking about drone assasinating randoms.

1: https://en.m.wikipedia.org/wiki/Ukraine_International_Airlin...

Same goes for a civilian making bomb threats against others to stop a facet of life they don't like from happening.

> stop a facet of life

Framing ransomeware attacks on hospitals as a "facet of life" is a deeply ridiculous statement. You can oppose drone strikes without saying absurd things.

Precisely. They're attacking hospitals. If you're operating a systematic campaign to cause misery, injury, or death to civilians in either war or peacetime, that's a crime against humanity[0]. I'd say locking up the data of a hospital, impeding their ability to treat innocent civilians, counts.

What'd we do with people who committed those crimes during WWII in the name of an expansionist, ultra-nationalist regime?


Civilians are attacking hospitals?

If you have the capability to post on this site, you have the capability to use Google.

My guess is that many of these attackers work at least in cooperation with the Russian government.

It would certainly serve their strategic interests and would align with the Russian Federation’s status as a mafia state. Use criminals to hack opposing countries’ computers, degrading their society. Then, use a cut of the ransom paid to ease the blow of sanctions. In exchange the government gives you more resources to continue your work and provides cover against international law enforcement efforts to stop you.

If those “civilians” would like to avoid Western reprisals for attacking digital infrastructure (particularly the infrastructure that innocent patients need to receive treatment at hospitals), they should cease immediately. Otherwise I have absolutely no problem with handling them like we did Nazis after WWII: hunting them down wherever they are and punishing them for their crimes.

It seems pretty obviously untenable from a "is a big escalation" perspective, especially with a nuclear power. Like neither practical and probably not moral. But especially not practical given that other similar suppliers are Chinese or Israeli firms.

Thinking Russia is not attacking western countries right now is awfully naive

They are not lobbing missiles at civilian houses in western countries. Do you disagree with that?

We have a not quite and ally fighting a war, I'm sure they will take a donation of 10 missiles and one will go off course from a nearby military target [wink wink] and hit this address for us.

Preeeeeetty sure that's a war crime, not that the US is any stranger to those

If it's the Ukranian military doing the launching and the targets are KGB/FSB or otherwise aiding the Russian government, that's not a war crime. It's hitting a legitimate military target.

But please feel free to snark on the US military; I know that's cheap karma around here.

Only if cyber attacks don't make you an enemy combatant. The line between civilian and military is blurred often intentionally.

No, targeting opposing warfighters (the hackers are certainly such) is not a war crime, even if they attempt to hide among civilian populations. Nor is lying about the specifics of your targeting.

If bombing a hacker's house isn't a war crime, is a Russian missile hitting a mall in LA, because a colonel working in logistics took his kids shopping there also kosher, or..?

I assume the triumphant press release would be something like 'a number of confirmed enemy fighters killed'.

It's always interesting to see warhawks (who have never been the victims of war) do their best to expand the list of who they consider acceptable enemy targets are, with no regard to what this means to them, domestically.

> Russian missile hitting a mall in LA, because a colonel working in logistics took his kids shopping there also kosher

No, because it violates "Proportionality". In this definition, even the very anti-war ICRC admits that it is sometimes necessary to kill civilians to achieve military objectives. https://casebook.icrc.org/highlight/targeting-under-internat... - The law they cite is "expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated".

Where you draw the line is to be litigated. Is destroying the entire apartment block to get a single hacker justified? Probably not. A single-residence home, even if his wife and kids are there? If they're an important enough military target, for sure.

If russia played nice with the world they would extradit this guy to the courts. Since russia won't all that is left is war.

So, you're telling me that the US refusing to extradite a national is, indeed, sufficient justification for another country to start bombing LA?

Or is it one of those 'we make the rules, but we aren't bound by them' things?

It seems pretty obvious that America is playing by the rule of "We have the power, so you're going to do what we say" when it comes to these scenarios. I find it hard to imagine, for example, an assassination on an American official of rank similar to Qasem Soleimani would result in nearly as timid of a response as Iran gave.

The us generally will extradite if your justice system isn't corrupt. There are exceptions, but everyone has them.

Demonstrably false.


> The Act authorizes the president of the United States to use "all means necessary and appropriate to bring about the release of any U.S. or allied personnel being detained or imprisoned by, on behalf of, or at the request of the International Criminal Court".

> This authorization led to the act being colloquially nicknamed "The Hague Invasion Act", as the act allows the president to order U.S. military action, such as an invasion of the Netherlands, where The Hague is located, to protect American officials and military personnel from prosecution or rescue them from custody.

I don't see how your comment contradicts the statement "The us generally will extradite if your justice system isn't corrupt. There are exceptions, but everyone has them."

The fact that there is a US law to prevent US service members specifically from being detained by the ICC specifically, has little bearing on the statement that "The US generally will extradite".

These are the most meaningful exemptions. Sure, it'll extradite petty criminals, but it absolutely won't extradite politically useful[1] criminals, and will absolutely not allow the latter to have a fair trial.

If that's acceptable and civilized behavior, I don't see why you can complain that Russia won't extradite a politically useful[1] criminal.

[1] In the sense that their crimes are furthering the state's geopolitical agenda.

That's a reasonable argument. I think that the response that comes next is "the Russian geopolitical agenda is bad", but that's a separate topic - I think you've convinced me on this point.

There are only three cases in which you can start war legally under international law, and what you propose doesn't match any of them.

Russia illegally has a lot of troops in Ukrainian territory. The war is already started (which shows how useful your international law is)

I don't understand how a hacker that's targeting US infrastructure would be considered an "opposing warfighter" in the context of the Russia-Ukraine war?

You think his targets are limited to the US? A general doesn't have to be assigned to the front to be a valid target.

They are an opposing warfighter in the Russia led global destabilization efforts.

Please go into detail about how this would be implemented, with particular attention to what could go wrong at each stage of the process and what the consequences would be, especially consequences originating from stakeholders who possess nuclear weapons and whose territory you are proposing to exert military force against, and compare the difficulty and expense of implementation in terms of expected value to the magnitude of what might be gained by a successful operation of this kind.

Yes, I mean "you clearly did not think about this and your idea is very, very, very bad."

appeasing brutes like russia has a long history of not working.

False dichotomy, there are many responses on the spectrum between 'do nothing' and 'start a war with a nuclear power'.

(Also, what about when we act like brutes? Why do other countries tolerate us? Should they not, like, get together and push back, or something?)

Russia started this war - have you forgotten that they have troops in Ukraine right now?

I seem to have forgotten the part where the US is at war with Russia. Pray tell, what day was it declared? Should I be running for my crazy prepper bunker?

But I'm glad that you mentioned the proxy war that is being fought right now, that's one example of how you can respond to a country's bad behavior without actually starting a war with it. There are many others.

"appeasing brutes like russia has a long history of not working" is a true statement that, in this context, does not do any of the work one would like a true statement to do, but it does do much of the work that one would like a statement to do if one were behaving with malice and dishonesty. It collapses the critique it's replying to into an inaccurate summary ("all of the things you said amount to 'appeasing Russia'") and uses a weighted, emotionally loaded verb to do so ("appeasing"). What this response actually says is "all of the problems that sedev pointed out are irrelevant because Russia is bad," and I am not surprised that you didn't say that out loud because when it's said directly, it's obviously wrong.

Do better.

There are a large number of options. Doing nothing is not a valid option. Given that Russia and Ukraine are already at war, which makes all attacks on the table and so Ukraine should be considering this as a message. (it may not be the best use of Ukraine's limited stock of missiles, but the serious threat that Ukraine is looking into it usefully forces Russia to move their defense to defend against this attack)

Every time there is an article from krebsonsecurity I wonder what is - if any - Brian Krebs' opsec in real-life. I mean, I guess that messing with this kind of cybercriminals can actually lead to retaliations/vengeance IRL, no?

He's been targetted numerous times, so presumably his address is widely known. One person who swatted him was subsequently extradited from Italy and jailed. https://krebsonsecurity.com/2017/02/men-who-sent-swat-team-h...

OK but I would actually fear for my own life. People in those circles he pokes at can easily shell out 20k-50k to hire some disposable hitman...

The hit man probably doesn't fancy himself as disposable.

That depends on how desperate for money they are. It can lead to taking more risks than one would usually take.

His judgement in this matter is not the one that matters most.

Can be used as a bait too...

Click Here podcast - 129. LockbitSupp tells us: UK and US have got the wrong guy

"In an interview, LockbitSupp, head of the Lockbit cybercrime operation, told us that the U.S., U.K. and Australia have the wrong guy — he’s not Dmitry Khoroshev, the 31-year-old Russian national they’ve charged with hacking. What’s more, he says more attacks are coming."


Reading article by Brian it always shows me how much information is „out there“. Sure this is cyber security / dark web we are talking about but there are companies hoarding gigabytes of data that was released, leaked at some point. In this case sure that is nice, but just always makes me wonder about the future and how open and public everything is.

>Financial sanctions levied against Khoroshev by the U.S. Department of the Treasury listed his known email and street address (in Voronezh, in southwest Russia), passport number, and even his tax ID number (hello, Russian tax authorities).

Laughable. The only RU Govt related outcome for him will be recruitment to RU cyber warfare (if he isn't already there already) in exchange for keeping his profits.

Now his identity being this public, I don't think he will be able to live a "normal" life anymore. If recruited in exchange for protection, he will need to relocate and get a new identity at a minimum.

What a great opportunity for old school criminals not afraid of using violence to try getting their fair share of the profits.

Snowden seems to live "normal" life with quite public identity.

If by normal you mean constant monitoring by multiple intelligence services and free only at the whim of a dictator who will cash him in whenever it is expedient.

But you are missing the point, if Snowden had 100+M USD in crypto he would be in constant danger of being kidnapped.

Given the US sanctions against Russia, why would they aid in stopping him damaging US businesses?

That is literally what RU CW do. I'm saying that, like most RU cyber criminals, he will be recruited to act for the state of he isn't already doing so.

Previous poster did not suggest they would stop him, only that his talents would be redirected.

Why redirect though? He's causing pain to people who refused friendship with the top bully, that might very well be considered good enough. Some baron in the system might be allowed to take a cut.

The latter might actually be related to the "how?": someone could have leaked something to make the guy require more protection.

Getting doxxed like this means that anyone can beat the ever living private key out of his mouth knowing there are millions of dollars in his wallet. With the current economy, there's probably a great motivation to do this too, especially for the mid level authority.

>only RU Govt related outcome for him will be recruitment to RU cyber warfare

Unless he has any specialized skill or his previous infrastructures are still intact, I figure he'd be just as replaceable as any code monkey in any other industry.

Pretty sure he can afford a couple of bodyguards to prevent most of the cases like that.

A couple of bodyguards aren't going to stop someone coming after millions. Hell, the bodyguards themselves might decide they deserve a bigger pay day.

Oh, the FSB will probably stay away then

As far as intelligence agencies go, the treasury department is massively underrated.

Why people in security think that the russians gonna finish what the US started and somehow marginalize this chap?

Assuming that US and RU are not allied in the background...

Did I miss it? (The article is dense.) I'm not seeing how the authorities identified him. I see lots of identifying information from disparate sources, which when taken collectively does seem damning. But not how it all got put together, nor any discussion of why now.

I mean the guy offered his own $10m bounty if you could track him down.

I knew back when the Boeing data got out, that it was a fatal mistake and he'd be hunted down. It obviously wasn't easy since the $10m would have been enough incentive for the army of internet super sleuths. I don't care at all about what the bits and pieces are, what I want to know is the HOW. as per the title

Note that the article poses it as a question, indicating that quite literally, Krebs is also wondering how and publicly speculating on the details.

No one knows for sure. There’s no published direct link between the two identities. However, the article identifies years worth of ransom crypto transactions / bank deposits + FBI deep infiltration of LockBit as important advantages.

He messaged Omniscient / "the admin" on a HackForums / another HF clone site, asking about a PII dump with his own personal Gmail being specified, inquiring about GREP help.

When the entire DB leaked, his personal message was the most obvious one.

You all think these people are cyber geniuses, but really, just sufficiently advanced scum bags in socioeconomically-disadvantaged, politically convenient areas to operate these neo-scams.

I went poring through international news while looking for old friends recently, and the utter fear and revulsion the world had against "hackers" 20 years ago is wild to contemplate.

Federal prosecutors were using CFAA against people submitting bug reports against Microsoft products, the news was amplifying things out of control, and the FBI was extraditing foreign citizens over practices that are commonplace to SV business models today.

It's astounding that what amounts to a "hacker mindset" is mere curiosity and reason, and how well it has been stamped out of the general populace.

  >Federal prosecutors were using CFAA against people submitting bug reports against Microsoft products,
2me4irl :(

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact