The United States has charged a Russian Israeli dual citizen over alleged involvement with the Lockbit ransomware group, the Justice Department said Friday.
Rostislav Panev, 51, was arrested in Israel in August and is awaiting extradition to the United States, the department said.
Panev was a developer at Lockbit from its inception in 2019 until at least February 2024, during which time the group grew into "what was, at times, the most active and destructive ransomware group in the world," the department said.
"The Justice Department's work going after the world's most dangerous ransomware schemes includes not only dismantling networks but also finding and bringing to justice the individuals responsible for building and running them," Attorney General Merrick Garland said in a statement.
Lockbit and its malware were linked to attacks on more than 2,500 victims in at least 120 countries around the world, according to the department, including small businesses and large multinationals, hospitals, schools, critical infrastructure, government and law enforcement agencies.
Lockbit was discovered in 2020 when its eponymous malicious software was found on Russian-language cybercrime forums.
It operated a ransomware-as-a-service operation, in which a core group of developers and administrators worked with affiliates who carried out attacks. Extortion proceeds were split among the parties involved.
Lockbit and its affiliates extorted at least $500 million in payments from victims, according to the Justice Department, as well as causing significant costs from lost revenue and incident response and recovery.
The arrest followed two guilty pleas in July from a pair of Russian members of the Lockbit gang — Ruslan Astamirov and Mikhail Vasiliev — and the seizure in February of numerous Lockbit websites by Britain's National Crime Agency, the FBI and other international law enforcement agencies.
Lockbit reappeared online not long after the seizure, defiantly saying: "I cannot be stopped." But law enforcement officials and experts say the bust helped damage the gang's standing in the cybercriminal underworld.
Government actions "have proven incredibly effective at dismantling and discrediting" Lockbit as a brand and bringing the group's volume of attacks down precipitously, said Jeremy Kennelly, a cybersecurity analyst with Google owner Alphabet.
Affiliates and others working with the group may have shifted to collaborating with other gangs, Kennelly said, but the crackdown has been "critical to ensuring that ransomware and extortion are seen as crimes for which there are consequences."