Dmitry Yuryevich Khoroshev (Russian: Дмитрий Юрьевич Хорошев), known on cybercrime forums as LockBitSupp, is a 31-year-old Russian national publicly identified on 7 May 2024 by U.K., U.S., and Australian law enforcement as the developer and chief operator of the LockBit ransomware franchise — for most of 2022 and 2023 the world's dominant ransomware-as-a-service operation.
Identification
The U.K.'s National Crime Agency led the unmasking as part of Operation Cronos, which had seized LockBit's infrastructure in February 2024. The NCA, FBI, and AFP simultaneously released photographs of Khoroshev, his date of birth (17 April 1993), residence in Voronezh, Russia, and crypto wallet addresses linked to his operation.
The indictment from the U.S. Department of Justice (D.N.J.) lists 26 counts against him, including conspiracy to commit fraud, extortion, intentional damage to a protected computer, and use of an interstate facility for extortionate threats. Maximum statutory penalties total 185 years.
LockBitSupp's persona was unusually high-profile for an underground operator — granting interviews, running bug-bounty programs on his own code, and engaging in public exchanges with security researchers. The unmasking demonstrated that operational security weaknesses (cryptocurrency clustering, infrastructure billing trails, and operator-side mistakes in payment processing) made attribution feasible even for a notoriously cautious threat actor.
Sanctions and bounty
On the same day as the unmasking:
- U.S. OFAC added Khoroshev to the Specially Designated Nationals list, freezing any U.S.-jurisdiction assets and prohibiting U.S. persons from transacting with him.
- U.K. OFSI (Office of Financial Sanctions Implementation) issued parallel sanctions.
- The EU Council designated him under the EU cyber sanctions regime.
- The U.S. State Department announced a $10 million reward under the Transnational Organized Crime Rewards Program for information leading to arrest or conviction.
Khoroshev remains in Russia and is presumed beyond the reach of extradition.
Attributed incidents
LockBit affiliates ran intrusions; Khoroshev's role was to maintain the encryptor, the leak site, and the affiliate program. He shares attribution for every catalogued LockBit incident in this dataset.
Why it matters
Khoroshev is the first ransomware franchise developer unmasked while still operating. The Cronos disclosure was structured to maximize reputational damage to the brand — making LockBit unappealing to current and future affiliates regardless of whether Khoroshev himself ever faces a courtroom. Affiliate defection (to RansomHub and Akira primarily) was observable in the months following May 2024.