Earlier this year, an international coalition of law enforcement agencies took control of the dark web site of the notorious ransomware group LockBit, replacing its contents with the now-familiar message from authorities: “This site is now under law enforcement control.” The operation didn't disrupt the group's activities for long, as the group set up a new one soon after it was taken down.
But then, on May 6, authorities updated LockBit's old site page, announcing that they would be revealing the identity of LockBit's administrators. A box on the site read, “Who is LockBitSupp?” and also displayed a 24-hour countdown.
When cybersecurity researcher John DiMaggio saw the announcement, his immediate thought was: “Is this the same guy they're arresting who I identified?”
A screenshot of the seized LockBit darknet website. Image credit: TechCrunch / ScreenshotImage credit: TechCrunch (Screenshot)
DiMaggio, a researcher at cybersecurity firm Analyst1, had been building a relationship with LockBitSupp over the past few years, first posing as a budding cybercriminal interested in joining the gang, then posing as himself, and eventually, DiMaggio was able to uncover LockBitSupp's true identity before it was publicly exposed by authorities.
Speaking at Def Con hacking conference in Las Vegas on Friday, DiMaggio gave the full story of his relationship with LockBitSupp, detailing how he used a fictitious persona to gain their trust and how he maintained the relationship even after publicly revealing that DiMaggio had infiltrated the gang and tricked LockBitSupp into leaking details of its operations.
“Our relationship has had a lot of ups and downs,” DiMaggio said in a preview of his presentation provided to TechCrunch ahead of the conference.
Initially, DiMaggio explained that he created a series of sockpuppet accounts in order to approach people he believed to have direct ties to LockBitSupp and observe their interactions. The goal at this stage was to create a cybercriminal persona with some sort of background and connections in the underground, which would allow him to appear more credible when contacting LockBit and its administrators directly.
“A big part of this job was monitoring seemingly unrelated conversations – conversations where they let their guard down and were just talking nonsense with other hackers. That way I could learn about what they liked, what they didn't like. I could get some context about their political views,” DiMaggio said. “I had to build all of this before I got involved, because if I just jumped in and started asking questions about the attacks and their activities, it would give away that I'm a researcher.”
DiMaggio said he initially tried to join the gang but was rejected. However, he continued to talk with LockBitSupp and developed a direct and friendly relationship with him. From then on, DiMaggio focused on LockBitSupp, cracking jokes and casually asking him questions about the details of his operations, including the different elements and types of attacks, how to choose between them, how to negotiate with victims, and how to set appropriate ransom demands depending on the victim's company.
Then, in January 2023, DiMaggio wrote a lengthy report on what he'd discovered during his undercover operation, essentially burning the entire fake cybercriminal persona to the ground. DiMaggio said he thought that was the end of his relationship with LockBitSupp. But the criminal mastermind seemed to take it lightly, posting on the forum that he wished DiMaggio had shown him on a yacht with the ladies and enjoying life as a big-time cybercriminal. That in itself was interesting to DiMaggio.
“The person I know is certainly motivated by money, but he's not a flashy individual, and I don't think he's obsessed with material things,” DiMaggio said, “so there was a big difference between the attitude and persona he presented in these forums and the person I actually spoke to in person.”
DiMaggio said LockBitSupp then began using his LinkedIn photo as an avatar on hacking forums to make fun of him. “It was really a game of cat and mouse, and honestly, LockBit loved playing this game with me and I loved playing this game with them,” DiMaggio said.
At some point in early August last year, DiMaggio decided to publicly attack LockBitSupp. As a joke, he posted to X that he was going to publish new findings on a ransomware group and would pay LockBitSupp $10 million if they wanted to stop him. He made it look like he was trying to extort money from extortionists. To his surprise, some cybercriminals believed him and seemed worried about being exposed.
“From a psychological standpoint, it just shows you we can really beat these guys,” DiMaggio said. “The mental aspect of this operation was bigger than anything I've ever done.”
Meanwhile, LockBitSupp was offline for about 12 days, DiMaggio said. When it returned it seemed shaken, but it continued to communicate with DiMaggio. Around the same time, LockBit claimed responsibility for a cyberattack on Children's Community Hospital in Chicago, the second such attack on a hospital after one that hit Children's Hospital in Toronto.
DiMaggio says the attacks made him “really, really angry,” and prompted him to send angry messages to LockBitSupp, yelling “fuck you” and almost telling them he was going to launch an attack. Eventually, DiMaggio says he stopped sending the messages because “you can't empathize with the targets.”
Security researcher John DiMaggio. Image credit: Courtesy/Bryce Durbin/TechCrunch
Police subsequently shut down LockBit's website, at least temporarily halting the gang's activities. DiMaggio said he decided to focus all his efforts on identifying LockBitSupp and letting the cybercrime underground know that he and other researchers were pursuing the gang's leaders.
“At this point, Rockbit knew the pursuit had begun,” DiMaggio said.
The search was spurred by an anonymous tip someone sent to DiMaggio, who gave him a Yandex email address that supposedly belonged to LockBitSupp. Using that as a starting point, DiMaggio unraveled the mystery of LockBitSupp's true identity, tracing it to a man named Dmitry Khoroshev. But as fascinating as his findings were, DiMaggio wasn't entirely convinced.
But then something happened that even he didn't expect: the authorities updated the LockBit website they had seized to reveal the identity of LockBitSupp. At this point, DiMaggio contacted the FBI, with whom he has a private industry partnership, to let them know that they had identified Khoroshev as the administrator of LockBit and that they intended to write a report revealing this. The goal, DiMaggio said, was to ask the FBI whether they should wait for the report to be made public.
“If they told me to wait, there was a pretty good chance that I got the right guy. If they told me to do whatever I wanted, I probably would have still waited, because it might have been that I got the wrong guy,” DiMaggio said, adding that the FBI told him to wait.
DiMaggio was on his way to the RSA cybersecurity conference in San Francisco, so “I packed my bags, flew to San Francisco, landed, got to my hotel, and spent the whole day, the whole night working and writing,” DiMaggio said. “I was writing everything I knew about Dmitry, and I was going to wait for the timer to go off, and then once they published it, if I found the same person, I was going to publish my report.”
As promised, when the 24-hour countdown hit zero, the US Department of Justice indicted Dmitry Khoroshev as the mastermind and administrator of RockBit, at which point DiMaggio was able to publish his own report exposing Khoroshev's personal information.
“This was my first experience doxxing somebody, and then they released his name and they released all the other information on this guy. I had his address, his current phone number, his previous phone number,” DiMaggio said. “And I had his legitimate phone number, before he was indicted, so it was really hard to call this guy and see if I was the right person, and I wasn't.”
DiMaggio even made his message to Holosev public as a way of saying goodbye and letting him know he had to reveal his personal information before others did.
“LockBitSupp, you're a smart man. It's not about the money anymore, I said I'd stop after a million casualties, but sometimes you need to know when to walk away. The time is now, my old friend,” DiMaggio wrote.
“You have always been honest with me and I want to be honest with you. Have money and enjoy life before you find yourself in a situation where you can't do that anymore. Like REvil, you have gone too far and it's time to move on. I don't hate you, I hate what you are doing. I didn't enjoy calling you out today because we have known each other for a long time. The truth is, if I didn't do this today, someone else would. I respect you too much as an enemy and would hate to see you ripped apart by a clown with an OSINT handbook. Now that we know your identity, that is enough. Given our history it needed to come from me. It's time to move on,” he wrote.
DiMaggio said he hasn't heard back from Khoroshev since then.
DiMaggio spoke openly about his work, saying he wanted to show how researchers can find out information about cybercriminals by infiltrating their groups, not just by collecting data from hacks and infiltrating forums. However, DiMaggio also said he wanted researchers to know that there could be consequences for what they do, although so far nothing has happened – there are only rumors that Khoroshev wants retribution.
“When you deal with these criminals, no one gets away with it,” DiMaggio said.