Lockbit Ransomware Developer Extradited to US in Global Crackdown

The U.S. Department of Justice (DOJ) announced on March 14 that Rostislav Panev, a dual Russian and Israeli citizen, has been extradited to the United States to face charges for his alleged role as a developer for the Lockbit ransomware group.

A Lockbit ransomware developer has been extradited to the U.S. and admitted to coding and consulting for the cybercriminal group in exchange for cryptocurrency payments.

The U.S. Department of Justice (DOJ) announced on March 14 that Rostislav Panev, a dual Russian and Israeli citizen, has been extradited to the United States to face charges for his alleged role in developing the Lockbit ransomware. The 51-year-old developer was arrested in Israel in August following a U.S. provisional arrest request and appeared in Newark before U.S. Magistrate Judge André M. Espinosa, where he was detained pending trial.

According to court documents, Panev worked as a developer for Lockbit from its inception in 2019 until February 2024. He allegedly contributed to the development of malware used by affiliates to disable antivirus software, encrypt victim networks, and spread ransomware across multiple devices. Authorities discovered administrator credentials on Panev’s computer linked to Lockbit’s dark web repositories and control panel. The DOJ elaborated:

The primary Lockbit administrator made a series of transfers of cryptocurrency, laundered through one or more illicit cryptocurrency mixing services, of approximately $10,000 per month to a cryptocurrency wallet owned by Panev. Those transfers amounted to over $230,000 during that period.

Following his arrest, Panev reportedly admitted his role in Lockbit’s operations, with the DOJ stating: “Panev admitted to having performed coding, development, and consulting work for the Lockbit group and to having received regular payments in cryptocurrency for that work, consistent with the transfers identified by U.S. authorities.”

Panev’s extradition is part of a broader international effort to dismantle Lockbit, which was significantly disrupted in February 2024 by a multinational law enforcement operation. Authorities seized Lockbit’s servers and public-facing websites, severely impacting its ability to conduct ransomware attacks.

Several affiliates, including Mikhail Vasiliev and Ruslan Astamirov, have already pleaded guilty in New Jersey, while key figures like Lockbit’s primary administrator, Dmitry Yuryevich Khoroshev, remain at large. The U.S. Department of State is offering up to $10 million in rewards for information leading to the arrests of Lockbit leaders. Victims of the ransomware group are encouraged to report incidents to law enforcement, as decryption tools may be available to restore affected systems.