Topics
Latest
AI
Amazon
Image Credits:Bryce Durbin / TechCrunch
Apps
Biotech & Health
Climate
Image Credits:Bryce Durbin / TechCrunch
Cloud Computing
Commerce Department
Crypto
A screenshot of the seized LockBit darknet website.Image Credits:TechCrunch / screenshotImage Credits:TechCrunch (screenshot)
endeavor
EVs
Fintech
Fundraising
Gadgets
Gaming
Government & Policy
ironware
layoff
Media & Entertainment
Meta
Microsoft
concealment
Robotics
security department
societal
Space
startup
TikTok
transfer
Venture
More from TechCrunch
consequence
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
Jon DiMaggio used sockpuppet accounts, then his own identity, to infiltrate LockBit and gain the trust of its alleged admin, Dmitry Khoroshev.
Earlier this year , an international coalition of law enforcement agenciestook ascendency of the disconsolate web site of the infamous ransomware gang LockBit , replacing its content with the now - intimate message from the authorization : “ This site is now under the control of law enforcement . ” The operation did n’t disrupt the grouping ’s operation for too long , with the gang launching a new siteshortly after the squelch .
But then , on May 6 , the authorities updated LockBit ’s honest-to-goodness internet site page andannounced that they would be revealing the identityof LockBit ’s executive . “ Who is LockBitSupp ? ” study a box on the web site , which also include a 24 - time of day countdown .
When cybersecurity researcherJon DiMaggiosaw the announcement , he immediately wonder : Do the fuzz have the same guy I have identified ?
For the last couple of class , DiMaggio , who is a research worker at the cybersecurity firm Analyst1 , had developed a relationship with LockBitSupp — first pretending to be a budding cybercriminal concerned in fall in the gang , then as himself . And , in the final stage , DiMaggio was able to figure out LockBitSupp ’s real identity before it was publicly reveal by the dominance .
On Friday , in a talk of the town at the hacking conference Def Con in Las Vegas , DiMaggio told the whole story of his relationship with LockBitSupp , detailing how he gained his trust using a made - up role , and then kept the relationship go even after DiMaggiopublicly revealedthat he had infiltrated the pack and fob LockBitSupp into give up details of the operation to him .
“ Our relationship had a clustering of ups and downs , ” DiMaggio aver during a preview of his presentation , which he apply to TechCrunch ahead of the group discussion .
At first , DiMaggio explained that he created a serial publication of sockpuppet news report to set about hoi polloi who appeared to have lineal relationships with LockBitSupp , as well as observe their interaction . The goal during this stage was to create a cybercriminal part that had some sorting of chronicle and connections in the subway , which would make it easier to seem believable when reaching out straight to LockBit and its decision maker .
“ The important part of this was supervise those conversations that appear irrelevant . The one where they had their guard down , where they were just lecture due south — liothyronine with other hackers . It allowed me to see the things they liked and the things they disliked . It cave in me some context into their political opinion , ” said DiMaggio . “ All those matter that I needed to build before I could engage because if I just break down into this , and I started ask head related to attacks and their operation , it ’d be passably obvious that I was a researcher . ”
DiMaggio sound out his initial attempt to conjoin the gang was rejected , but he kept speak to LockBitSupp , with whom he commence to have a direct and well-disposed relationship . From then on , DiMaggio said he rivet on LockBitSupp , crack joke with him , nonchalantly posing questions about detail of his performance , such as question on dissimilar elements and types of attacks , how to choose among them , how to negotiate with victim , and how to institute what ’s the right ransom requirement depending on the dupe company .
Then , in January 2023 , DiMaggiowrote a recollective report about his findingsduring his undercover inquiry , and essentially fire all his imitation cybercriminal role . DiMaggio say he think this would be the death of his relationship with LockBitSupp . alternatively , the criminal ringleader appeared to have taken it lightly , post in forum that he wished DiMaggio had shown him on yacht with women , enjoy his life as a high - flying cybercriminal . That , itself , was interesting to DiMaggio .
“ The individual that I know , while he surely is actuate by money , he is not a flashy mortal , he ’s not the case of person I would expect to be obsessed with material detail , ” say DiMaggio . “ So there was a vast contrast in his demeanor and persona that he present on these forums versus the person that I talked to one on one . ”
Then , DiMaggio said that LockBitSupp start using his LinkedIn picture as their avatar in hack forums as a way to poke fun at DiMaggio . “ This was very much a cat - and - mouse plot , and honestly LockBit loved playing this plot with me as much as I loved playing it with them , ” suppose DiMaggio .
At one point in early August of last year , DiMaggio determine to troll LockBitSupp in populace . As a joke , he post on X claiming he was endure to unblock new researchinto the ransomware group , and that if LockBitSupp require to terminate him , he could pay him $ 10 million . He made it seem like he was trying to wring the extortionist . Surprisingly , it seemed like some cybercriminals believed him , and were worried they would be exposed .
“ It just lead to show from a psychological aspect , you may really f — k with these guys , ” enjoin DiMaggio . “ The mental aspect of this operation went much further than anything else that I did . ”
Meanwhile , DiMaggio said that LockBitSupp live on offline for around 12 day . When he came back , he seemed disquieted , but did n’t stop pass along with him . Around the same time , LockBitclaimed responsibilityfor a cyberattack against a residential district hospital that treats children in Chicago , the second attack on a hospital after the one thathit Toronto ’s SickKids hospital , another facility for children .
These attacks , DiMaggio said , “ really , really pissed me off . ” And they almost convinced him to send an angry message to LockBitSupp , telling them to “ f — k off , ” and that he was coming for them . Eventually , DiMaggio said he decided against send it , because “ you could not become emotionally vest with your prey . ”
Then , law enforcement took down LockBit ’s website , and at least temporarily cut off the gang ’s operation . DiMaggio said he decided to focalize all his efforts on identifying LockBitSupp , putting the word out in the cybercrime underground , and with other researchers , that he was lead after the gang ’s leader .
“ At this point , LockBit knew it , the James Henry Leigh Hunt was on , ” say DiMaggio .
And that hunt was facilitated by an anonymous tip that someone sent DiMaggio . The tipster , DiMaggio said , yield him a Yandex email address allegedly owned by LockBitSupp . With that as a starting point in time , DiMaggio said he was able to unravel the closed book of LockBitSupp ’s identity , leading him to someone nominate Dmitry Khoroshev . But as tantalizing as that finding was , DiMaggio could n’t be altogether sure .
But then , something happened that not even he expected . The authorities updated the appropriate LockBit website with the intention of revealing LockBitSupp ’s identity . DiMaggio said that at this point he reached out to the FBI , with whom he ’s had a relationship as a secret industry partner , and told them he had identified Khoroshev as the LockBit ’s administrator , and he contrive to publish a paper divulge that . The goal , DiMaggio said , was to ask the FBI whether he should waitress to put out his report or not .
“ If they told me to look , then there was a pretty good prospect I had the correct bozo . If they told me to do whatever I desire , then I belike would have still waited because that might have been because I had the faulty guy , ” DiMaggio say , who added that the FBI say him to wait .
DiMaggio was on his style to the RSA cybersecurity conference in San Francisco , so “ I bundle my stuff , fly out to San Francisco , landed , I got to the hotel , and I spend the intact day , the entire nighttime working and authorship , ” read DiMaggio . “ I was writing everything I had on Dmitry . And I was rifle to wait for this timer to tick down . And when they publish it , if we had the same guy , I was going to publish my story . ”
When the 24 - hr countdown struck zero , as assure , the U.S. Department of Justiceaccused Dmitry Khoroshevof being LockBit ’s originator and decision maker . At that point , DiMaggio could go livewith his own reportdoxing Khoroshev .
“ This was my first time doxing somebody . And well , they released his name , I released everything else on this sheik . I had where he survive , I had his phone numbers , current and previous , ” said DiMaggio . “ And boy , it was difficult to not just call this guy up on the phone , having his legitimate earphone number prior to the indictment , just to see if I had the right guy , but I did n’t . ”
DiMaggio even release a substance for Khorosehv , as a way to say auf wiedersehen and to tell him that he had to dox him before others did .
“ LockBitSupp , you are a impudent cat . You said it ’s not about the money anymore , and you want to have a million victim before you check , but sometimes you need to know when to walk away . It is that time , my one-time friend , ” DiMaggiowrote .
“ You have always been real with me , and I need to be real with you . Take your money and go enjoy your life before you end up in a spot where you ca n’t . Much like REvil , you have pushed things too far . It ’s time to move on . I do n’t detest you ; I hate what you do , and I did not enjoy putting you on blast today because we have known one another for a long time . The the true is if I did n’t do this today , someone else would . I have too much respect for you as an opposer to watch you get pick apart by some clown with an OSINT handbook , which is all it would take now that your identity is known . With our history , it needed to come from me . It ’s time to move on , ” he drop a line .
Since then , DiMaggio said , he has n’t heard back from Khoroshev .
In mouth openly about his operation , DiMaggio say he skip to show how researchers can find out selective information about cybercriminals by infiltrating their groups , and not just collecting data from hacks or lurk on meeting place . But DiMaggio also said that he want researchers to screw that doing what he did could carry issue , even though , for now , he has only rumour that Khoroshev would like to get retribution , though nothing has happened .
“ Nobody get out of this whole , ” said DiMaggio , “ when you go f — 1000 with criminals like this . ”
