Investigating Lockbit’s leader

Predicta Lab
5 min readMay 15, 2024

--

On May 7, 2024, the Office of Foreign Assets Control along with other american government agencies revealed several pieces of information about LockBit’s leader, Lockbitsupp. Let’s see what we can find out about him using this information.

It’s OSINT Time!

capture of tweet from @NCA_UK

Our starting point will be the OFAC specially designated nationals list. It gives us 2 email adresses linked to Lockbitsupp:
khoroshev1@icloud.com
sitedev5@yandex.ru

Thanks to Predicta Search, we can find a Github account and a Notion account linked to this email adresses

Capture from Predicta Search

The Github account is pretty empty, but we can get the following info:
— He uses the username sitedev5
— The account has been created at 2020–11–27T11:08:01Z
— The account has been updated at 2021–03–26T15:22:38Z

Capture from Predicta Search

The Notion account gives us a name: Дмитрий Хорошев.

Still using Predicta Search we can see that khoroshev1@icloud.com leaked in the Yandex Food leak. It gives us a new phone number: +79521020220.

Capture from Predicta Search

The phone number is used on Facebook.

Capture from Predicta Search

His OPEN VK profile is also linked to the phone number!

Capture from https://vk.com/d_khoroshev

Our friend also registered multiple sites with his email sitedev5@yandex.ru:
http://pra-vo.com/
http://utepleniedoma.com/
http://junonasonnic.online

The phone number +79521020220 is linked to his Apple account and so is the email khoroshev1@icloud.com.

Pivoting on his profile picture, we can find his old VK profil (deleted).

Capture from https://vk.com/id195770363

Yes the king image was his profile picture in 2016! He also added his real date of birth (according to the SDN list) at the latest on the 20/11/2016.

Capture from https://vk.com/id195770363’s archive

In his current VK profile we have a city: Voronezh.

Capture from https://vk.com/d_khoroshev

Dmitry is the head of Tkaner LLC. The website http://tkaner.com who has been registered with the email sitedev5@yandex.ru.

It gives us an address:
394026, Voronezh region, o. city ​​of Voronezh, Voronezh, Moskovsky Ave., 13/1, premises. V room 3–6.

Capture from https://www.google.com/maps/@51.6910571,39.1832565,3a,75y,276.42h,112.29t/data=!3m7!1e1!3m5!1sDPb042W98RL5pCzHXZE-Lg!2e0!6shttps:%2F%2Fstreetviewpixels-pa.googleapis.com%2Fv1%2Fthumbnail%3Fpanoid%3DDPb042W98RL5pCzHXZE-Lg%26cb_client%3Dmaps_sv.tactile.gps%26w%3D203%26h%3D100%26yaw%3D0.9496991%26pitch%3D0%26thumbfov%3D100!7i16384!8i8192?entry=ttu

Oh! A guy with the username sitedev5 located in Voronezh, Russia posted a review of his Mercedes-Benz GLE-Class Coupe along with some pictures.

Guess we have his license plate now : o570et and 136 is the region code for Voronezh Oblast.

Searching for his phone number in russian leaks gives us a ton of info.

— A new email address: d.horoshev@gmail.com
— 3 phone numbers (2 new): +74732414824, +79521020220, +79673415167

For instance, the Yandex Food Leaks show he used to order food from this place in 2022:

Capture from https://www.google.com/maps/@51.7016023,39.1997796,3a,75y,295.48h,110.74t/data=!3m7!1e1!3m5!1s5CkG92cgTynSBtny6kbcrQ!2e0!6shttps:%2F%2Fstreetviewpixels-pa.googleapis.com%2Fv1%2Fthumbnail%3Fpanoid%3D5CkG92cgTynSBtny6kbcrQ%26cb_client%3Dsearch.gws-prod.gps%26w%3D86%26h%3D86%26yaw%3D286.27853%26pitch%3D0%26thumbfov%3D100!7i16384!8i8192?entry=ttu

And from here:

Capture from https://www.google.com/maps/place/51%C2%B040'12.4%22N+39%C2%B011'11.4%22E/@51.6700718,39.18603,350m/data=!3m1!1e3!4m4!3m3!8m2!3d51.6701111!4d39.1865?entry=ttu

The phone number also allow us to find what’s probably his old VK account from when he was a teenager in 2009 (14 years old):

Capture from https://vk.com/id59986572

His selfies give us more information about his activities and his wereabouts in the past. As we can see below he served in the Russian internal troops when he was younger : he is wearing the patch for the VV MVD Internal Troops. According to Wikipedia: “Internal troops [..] are military or paramilitary, gendarmerie-like law enforcement services.”

On April 30th April 2018, Dimitry published a selfie on one of his VK account. This photo was taken in Sevastopol, approximate location: 44.601125, 33.526193.

Another selfie published on May 13th 2018 close to an high school Sevastopol.

Another selfie. No date. Taken at Chersonesus, Sevastopol.

More interestingly, we can find possible traces of Locksupp already dabbing into ransomwares in 2015. A user of the forum virusinfo.info called dkhoroshev posted about a Trojan virus, sharing the files and the price of the decryption key.

But cyberattacks may not be his only hobby as Lockbitsupp or another user of the pseudonyme sitedev5 shared on a russian blog his interest for the echinacea plant and tips on how to get rid of flies. Who said you can’t be a cyber-crime lord and a gardening enthusiast ?

Conclusion

During the writing of the thread at the origin of this publication, we saw many comments mocking Khoroshev’s operational security and it seems to us a little unfair. Good OPSEC is tough, it is even almost impossible for the average person. Like everyone, Khoroshev grew up with computers before cybersecurity was present in everyone’s mind and did what all teenagers did: he posted. Only then did he become the most wanted cyber criminal of his days.

--

--

Predicta Lab
Predicta Lab

Written by Predicta Lab

Official account of Predicta Lab

No responses yet