As part of a larger plan to gather intelligence and stop cybercrime from within, security researchers are actively pursuing and even infiltrating the groups that commit cybercrimes. To win the trust of cybercriminals, they frequently adopt a James Bond image, fabricating identities and conducting covert operations. Here is the account of one such investigator.
Cybersecurity expert Jon DiMaggio has uncovered the mysterious boss of the infamous LockBit ransomware group in a story that reads like a contemporary cyber thriller. Under the guise of a cybercriminal, DiMaggio managed to penetrate the inner ring of the gang and identify its leader, Dmitry Khoroshev, before the authorities could make his identity public. This remarkable operation, which DiMaggio detailed at Def Con, is a tale involving tactical deception as well as the psychological toll that such a game can take.
DiMaggio, a researcher at Analyst1, began his infiltration by creating sockpuppet identities to contact with people associated with LockBitSupp, Khoroshev's online identity. DiMaggio was able to create a realistic cybercriminal personality by monitoring chats and learning about the gang's culture and preferences. Despite his initial refusal to join the group, DiMaggio continued contact with LockBitSupp and developed a close connection. He engaged in informal chats, enquiring about the gang's operations and strategies.
DiMaggio submitted a report on his discoveries in January 2023, detailing his infiltration and the burning of his fictitious personas. Surprisingly, LockBitSupp took it lightly, even joking about it in forums, which piqued DiMaggio's interest.
The relationship turned into a friendly rivalry, with LockBitSupp utilising DiMaggio's LinkedIn photo as an avatar in forums. DiMaggio also mocked the gang by trying to extort them, which raised concerns among several cybercriminals.
During this time, DiMaggio noticed that LockBitSupp went missing for roughly 12 days. Upon returning, LockBitSupp appeared agitated but continued to communicate with DiMaggio. At the same time, LockBit claimed responsibility for a cyberattack on a Chicago children's hospital, their second after targeting Toronto's SickKids.
These activities frustrated DiMaggio so much that he nearly sent an angry mail to LockBitSupp, expressing his intention to pursue him. However, the researcher eventually decided against it.
After law authorities took down LockBit's website, DiMaggio focused on identifying LockBitSupp. An anonymous tip led him to a Yandex email address, which let him track down Dmitry Khoroshev.
Unexpectedly, the police updated the seized LockBit website, declaring their intention to divulge the name of LockBitSupp, the administrator.
At this point, DiMaggio, who had established a working connection with the FBI as a private business partner, contacted them to say that he had identified Khoroshev as LockBit's administrator. DiMaggio intended to prepare a report on his findings and asked the FBI for advice on whether he should postpone publishing it. He reasoned that if the FBI told him to wait, it would probably corroborate that he had identified the right person.
However, the FBI recommended him to wait.
As the Department of Justice prepared to divulge LockBitSupp's name, DiMaggio completed his report. Eventually, the DOJ appointed Dmitry Khoroshev as LockBit's head, allowing DiMaggio to reveal his own detailed findings.
"This was my first time doxing somebody. And well, they released his name, I released everything else on this dude. I had where he lived, I had his phone numbers, current and previous," DiMaggio stated. "And boy, it was difficult to not just call this guy up on the phone, having his legitimate phone number prior to the indictment, just to see if I had the right guy, but I didn't.”
DiMaggio sent Khoroshev a note telling him to call it quits from malicious activities.
“LockBitSupp, you are a smart guy. You said it's not about the money anymore, and you want to have a million victims before you stop, but sometimes you need to know when to walk away. It is that time, my old friend," DiMaggio wrote.
Since then, DiMaggio has not heard from Khoroshev. Despite the fact that nothing has happened, he has heard rumours that Khoroshev seeks payback.