Global Law Enforcement Raid Seizes Darknet Domains Associated with the LockBit Ransomware

The most recent in a long line of digital takedowns, many darknet domains run by one of the most active ransomware gangs, LockBit, have been seized as a result of an international law enforcement investigation.

Code-named Operation Cronos, the effort's entire scope is now unknown. However, accessing the group's “.onion” website brings up a seizure banner with the words "The site is now under the control of law enforcement."

The collaborative exercise involved Europol and authorities from 11 countries: Australia, Canada, Finland, France, Germany, Japan, the Netherlands, Sweden, Switzerland, the United Kingdom, and the United States.

In a message shared on X (formerly Twitter), the malware research organization VX-Underground claimed that the websites were brought down by making use of a serious security hole affecting PHP (CVE-2023-3824, CVSS score: 9.8) that might lead to remote code execution.

Additionally, law enforcement agencies left a note on the affiliate panel claiming to have the "source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more," and that LockBit's "flawed infrastructure" made it possible for them to obtain this information.

Since its formation on September 3, 2019, LockBit has claimed the lives of over 2,000 victims, making it one of the most active and well-known ransomware groups in history. It is believed to have taken at least $91 million in extortion from American groups alone.

Data from cybersecurity company ReliaQuest indicates that in the fourth quarter of 2023, LockBit recorded 275 victims on their data leak portal, far more than any of its rivals.

The development is a clear blow to LockBit's near-term operations and comes two months after the US authorities dismantled the BlackCat ransomware organization. As of right now, there has been no word of any arrests or sanctions.

In addition to the coordinated takedown, a 31-year-old Ukrainian national was also arrested for using malware to access Google and online bank accounts belonging to American and Canadian customers without authorization. He then sold access to other threat actors on the dark web in exchange for money.