what we know about the international crackdown on LockBit, one of the most dangerous hacker groups in the world

A hard blow for one of the most dangerous hacker gangs on the planet. The LockBit group, responsible for several hundred large-scale hacks in France and around the world, was the target of an international police operation which led to the seizure of several group sites on the dark web, Monday February 19 .

This operation, carried out jointly by investigators from several countries including France, also led to the arrest of two of its members and the obtaining of numerous data. Here is what we know about this offensive.

The most active hacker group in the world

LockBit is a group of Russian-speaking hackers, which has designed several generations of ransomware (or “ransomware”) of the same name. This malware encrypts data on devices on a network, making it unreadable unless you have a specific code – which LockBit only claims to provide in exchange for a ransom. If the victim does not pay, the hackers threaten to publish or resell the data.

In November 2022, the United States claimed that LockBit ransomware was the “more active and more destructive variants in the world”. In the United States alone, the group has carried out more than 1,700 attacks since 2020 for nearly $91 million in ransoms in total, according to an American agency. Unlike other groups, LockBit has become a real company, selling its services to other hackers in exchange for a percentage.

In France, LockBit has been involved in more than 200 attacks according to the Paris prosecutor’s office, for example against the Corbeil-Essonnes hospital (Essonne) in October 2022 to demand a million dollars in ransom, against La Poste Mobile in July of the same year or against the Voyageurs du monde group in June 2023. One of its ransomware, used by other malicious groups, may have been used in the computer attack suffered by the Armentières hospital (North) on February 10, as explained on Valéry Rieß-Marchive, editor-in-chief of the specialist site LeMagIT.

A joint action of ten countries

Around twenty sites known to the group on the dark web were taken offline or requisitioned during the night of Monday February 19 to Tuesday February 20, according to the account specializing in cybersecurity vx-underground on. The LockBit team confirmed the seizure of these sites by the FBI, according to the specialized site Zataz.

These pages have all been replaced by the same message in English, announcing that “this site is now under police control”. This seizure was made possible thanks to the joint action of 10 member countries of “Operation Cronos”, including the United States, the United Kingdom or France, Germany and Japan.

In a press release published Tuesday at noon, Europol explains that it has “disrupted LockBit’s criminal operations at all levels, severely damaging their capacity and credibility”. The international police organization describes a “operation lasting several months”, which allowed the decommissioning of 34 servers in several countries.

The British authorities specify in a press release that they have obtained the source code of the LockBit platform, as well as extensive information on the group’s capabilities. They also took control of the environment that allowed LockBit affiliates to carry out their attacks, as well as the “wall of shame” on which hackers post the names of their victims, among other things.

Two “actors” of the group have been arrested “at the request of the French judicial authorities”, according to Europol, which specifies that two international arrest warrants and five indictments were also issued by the French and American authorities. More than 200 cryptocurrency wallets linked to LockBit have also been frozen, according to Europol.

To help LockBit victims, the authorities of the countries involved in the operation have also made decryption tools available to recover data corrupted by the attacks. They are available for free on the No More Ransom portal.

Pirates hit hard, but not yet sunk

The seizure of LockBit’s sites is an extremely severe blow to the group’s operations. These pages were used to display the names of victims, to demand ransoms but also to publish the stolen data. The data authorities obtain to decipher those that have been corrupted also reduces the consequences of attacks already committed and those to come.

On one of its communication channels, LockBit however claims to have spare servers which were not affected by the operation, according to vx-underground on. But the ordeal is not over for the group: the authorities hijacked LockBit’s “wall of shame” to announce that additional information would be revealed throughout the week.