Russian-Israeli National Extradited to U.S. for Role in LockBit Ransomware Conspiracy

Cybercriminal Allegedly Helped Develop One of the World’s Most Devastating Ransomware Groups

A dual Russian and Israeli national, Rostislav Panev, has been extradited to the United States to face charges related to his alleged role as a developer for the LockBit ransomware group—one of the world’s most notorious cybercriminal organizations. Panev, 51, was arrested in Israel in August 2024 following a U.S. provisional arrest request and was transported to the United States, where he made his initial court appearance before U.S. Magistrate Judge André M. Espinosa. Panev has been ordered detained pending trial, according to U.S. Attorney John Giordano.

"No one is safe from ransomware attacks, from individuals to institutions. Along with our international partners, the FBI continues to leave no stone unturned when it comes to following LockBit's trail of destruction. We will continue to work tirelessly to prevent actors, such as Panev, from hacking their way to financial gain," said Acting Special Agent in Charge of the FBI Newark Division Terence G. Reilly.

Allegations Against Panev and the LockBit Ransomware Operation

According to the superseding complaint, court documents, and statements made in court, Panev is accused of serving as a developer for LockBit from its inception in 2019 through at least February 2024. LockBit evolved into one of the most active and destructive ransomware groups in the world, with its members allegedly carrying out attacks on more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.

Victims of LockBit ranged from individuals and small businesses to major multinational corporations, including hospitals, schools, nonprofit organizations, government agencies, and critical infrastructure. The financial impact of these attacks has been estimated at billions of dollars, with the group reportedly extracting at least $500 million in ransom payments from victims.

Panev’s role as a developer allegedly involved designing the LockBit malware code, maintaining the group’s dark web infrastructure, and ensuring that ransomware affiliates could customize and deploy attacks. According to investigators, Panev had access to:

• Administrator credentials for an online repository on the dark web storing multiple versions of the LockBit builder, a tool used by affiliates to generate customized ransomware.
• Source code for LockBit’s StealBit tool, which facilitated data exfiltration from victims’ systems.
• Credentials for the LockBit control panel, an affiliate dashboard maintained on the dark web by LockBit developers.

Additionally, Panev is alleged to have communicated directly with LockBit’s primary administrator, Dmitry Yuryevich Khoroshev, also known by the aliases "LockBitSupp" and "putinkrab".

Financial Transactions and Admissions of Guilt

Between June 2022 and February 2024, Panev allegedly received monthly cryptocurrency payments of approximately $10,000, laundered through illicit mixing services. These payments, totaling over $230,000, were made by LockBit’s primary administrator, Khoroshev.

Following his arrest in Israel, Panev reportedly admitted to authorities that he had worked as a developer, coder, and consultant for LockBit, and that he had been paid in cryptocurrency for his work. He allegedly developed code to:

• Disable antivirus software to allow ransomware to execute undetected.
• Deploy malware across multiple systems connected to victim networks.
• Print ransom demands on all connected printers to notify victims of an attack.
• Write and maintain the LockBit malware code.
• Provide technical guidance to the LockBit group.

International Crackdown on LockBit and Other Suspects

Panev’s extradition follows a major international crackdown on LockBit in February 2024, led by the United Kingdom’s National Crime Agency (NCA), the FBI, and global law enforcement partners. The operation resulted in the seizure of LockBit’s public-facing websites, servers, and dark web infrastructure, significantly disrupting the group’s operations.

The U.S. District of New Jersey has charged seven individuals associated with LockBit, including:

• Dmitry Yuryevich Khoroshev ("LockBitSupp") – Alleged founder and primary administrator of LockBit, currently a wanted fugitive with a $10 million reward for his arrest.
• Mikhail Vasiliev ("Ghostrider") and Ruslan Astamirov ("BETTERPAY") – LockBit affiliates who pleaded guilty in July 2024 to multiple ransomware attacks. They remain in custody awaiting sentencing.
• Artur Sungatov and Ivan Kondratyev ("Bassterlord") – Russian nationals charged with deploying LockBit ransomware. They remain at large.
• Mikhail Matveev ("Wazawaka") – A hacker allegedly responsible for multiple ransomware variants, including LockBit. Matveev is also wanted with a $10 million reward for his arrest.

The U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program has announced rewards of:

• Up to $10 million for information leading to the arrest and/or conviction in any country of Khoroshev;
• Up to $10 million for information leading to the arrest and/or conviction of Matveev;
• Up to $10 million for information leading to the identification and location of any individuals who hold a key leadership position in LockBit; and
• Up to $5 million for information leading to the arrest and/or conviction in any country of any individual participating or attempting to participate in LockBit.

Information is accepted through the FBI tip website at tips.fbi.gov.

“Rostislav Panev’s extradition to the District of New Jersey makes it clear: if you are a member of the LockBit ransomware conspiracy, the United States will find you and bring you to justice,” said United States Attorney John Giordano. “Even as the means and methods of cybercriminals become more sophisticated, my Office and our FBI, Criminal Division, and international law enforcement partners are more committed than ever to prosecuting these criminals.”

Victim Assistance and Prevention

Authorities encourage LockBit victims to report incidents to the FBI Internet Crime Complaint Center (IC3) at www.ic3.gov. Investigators have reportedly developed decryption capabilities that may help victims recover locked files.

For updates on the prosecution of Panev and other LockBit defendants, victims can visit www.justice.gov/usao-nj/lockbit.

Cybersecurity officials also advise businesses and individuals to review LockBit-related security guidance at StopRansomware.gov.

Panev’s extradition and ongoing prosecutions mark a significant step in dismantling one of the most notorious ransomware groups in recent years. However, with key LockBit figures still at large, law enforcement continues to pursue further arrests and financial sanctions against cybercriminals operating on the dark web.

The charges and allegations contained in the superseding complaint and above-named Indictments are merely accusations, and the defendants are presumed innocent unless and until proven guilty.