Earlier this year, an international coalition of law enforcement agencies made a significant breakthrough by seizing control of the infamous LockBit ransomware gang’s dark web site. The site, which had terrorized companies and institutions globally, was replaced with a familiar message from the authorities: “This site is now under the control of law enforcement.” Although the takedown temporarily disrupted the LockBit ransomware gang’s activities, they quickly launched a new site and resumed operations.

On May 6, however, law enforcement struck again, updating LockBit’s old site with a cryptic announcement: the reveal of the identity of the gang’s administrator. The site displayed a message asking, “Who is LockBitSupp?” accompanied by a countdown timer set to 24 hours.

Cybersecurity researcher Jon DiMaggio, from Analyst1, had spent years investigating LockBitSupp, LockBit’s administrator. DiMaggio’s work involved cultivating a deceptive relationship with the gang by first posing as a cybercriminal, then revealing himself as a researcher. DiMaggio managed to unmask the LockBit mastermind before authorities disclosed his identity.

In an exclusive talk at the Def Con hacking conference in Las Vegas, DiMaggio detailed his undercover efforts, including how he infiltrated the gang and exposed crucial details about LockBit’s operations. “Our relationship had a bunch of ups and downs,” DiMaggio shared. He explained how, after his initial approach to the gang, he used multiple fake personas to study LockBitSupp and his network. By observing casual conversations, DiMaggio was able to gather valuable insights into their operations, personalities, and political views. These small details helped him build a convincing backstory to gain the cybercriminals’ trust.

Despite DiMaggio burning his fake identities after publishing a report in January 2023, LockBitSupp surprisingly remained in contact. LockBit’s leader even humorously trolled DiMaggio by using his LinkedIn photo as an avatar in hacking forums. “It was a cat-and-mouse game,” DiMaggio remarked. “LockBit loved playing this game with me as much as I loved playing it with them.”

Though DiMaggio found amusement in this exchange, his emotions shifted when LockBit claimed responsibility for ransomware attacks on hospitals that treat children, including facilities in Chicago and Toronto. “These attacks really pissed me off,” DiMaggio admitted, though he restrained himself from sending a furious message to LockBitSupp.

In the midst of his investigation, an anonymous tip pointed DiMaggio to a Yandex email address belonging to LockBitSupp, which led him to Dmitry Khoroshev. Though confident in his discovery, DiMaggio reached out to the FBI before going public with Khoroshev’s identity. The authorities, who were on the verge of revealing the same information, advised him to hold off on his report.

When the 24-hour countdown ended, the U.S. Department of Justice officially accused Khoroshev of being the LockBit ransomware gang’s leader. DiMaggio then published his own report, providing detailed information on Khoroshev, including his phone numbers, addresses, and more. “This was my first time doxing somebody,” DiMaggio admitted. “I had too much respect for him as an adversary to let someone else expose him.”

DiMaggio’s investigation serves as a powerful example of how cybersecurity researchers can infiltrate and expose cybercriminals like the LockBit ransomware gang. However, as DiMaggio warns, playing this dangerous game comes with risks. “Nobody gets out of this unscathed,” he stated, cautioning that those who choose to “f—k with criminals” must be prepared for potential retaliation.

By strategically engaging with LockBit and eventually revealing its leader, Jon DiMaggio has demonstrated that persistent cybersecurity research can lead to significant breakthroughs in combating ransomware attacks.