Zoom in: Unmasking the hackers behind LockBit

LockBit hackers weren't the criminal masterminds that the public may have believed them to be, despite the group's list of high-value victims.

Why it matters: Perceiving ransomware gangs as untouchable villains may make unsuspecting companies freeze up when they're targeted.

• Some may pay the ransom simply out of fear of business losses and to prevent a data leak, believing they may not have the resources to outsmart them.
• After paying, those victims also tend to trust their attackers to uphold their end of the bargain and delete whatever confidential data was stolen — only to have the hackers go back on their word.

The intrigue: Most of the people identified as LockBit members in various indictments were young men looking for big payoffs and street cred. Some of the top members included:

Dmitry Yuryevich Khoroshev, known by the hacker moniker "LockBitSupp," ran the group, according to a May indictment.

• Investigators say Khoroshev sat at the helm since at least September 2019, and he'd often recruit new affiliates after law enforcement took down his rivals.
• Khoroshev, a 30-something living in Russia, also would demand his freelance affiliates show their allegiance in new ways. Once, he even paid individuals $1,000 after they got a tattoo of the LockBit logo.

Ivan Kondratyev, aka "Bassterlord," is a late 20-something man who helped LockBit break into corporate networks.

• According to his indictment, Kondratyev ran his own team of hackers that he called "National Hazard Agency."
• Kondratyev was a ransomware veteran: He had previously been indicted for using ransomware from the now-defunct REvil ransomware gang, and he also worked with the RansomEXX and Avadon gangs.
• He was 27 years old at the time of the LockBit indictment.
• In the days after the February takedown, a security researcher uncovered a video purportedly of Kondratyev getting one of the famed LockBit tattoos.

Mikhail Vasiliev is one of the few affiliates who was actually arrested and taken into custody.

• He was 33 years old when he was arrested in Canada in late 2022.
• Vasiliev left a file on his computer titled "TARGETLIST," which included the name of a LockBit victim from 2021, according to his indictment. Investigators found this after executing a search warrant.
• Vasiliev also left screenshots on his computer detailing his conversations with Khoroshev on an end-to-end encrypted messaging service.

By the numbers: The U.K.'s National Crime Agency estimates that 194 people used LockBit's services leading up to the February 2024 takedown.

• 148 of them built attacks, but up to 114 of them never made any money from their work, per the NCA.
• Only 69 affiliates were active at the time of the takedown, law enforcement said.

Reality check: Most of these men live in Russia, making an actual arrest unlikely since the U.S. doesn't have an extradition treaty with the Russian government.

• But there's always the chance one of them gets overly confident and leaves the country to go on vacation in a few years.