Operation Kronos — a joint operation by the UK National Crime Agency, FBI, Europol, and partners across more than ten countries — dismantled LockBit ransomware’s infrastructure in February 2024, seizing 34 servers and more than 200 cryptocurrency accounts and arresting members in Ukraine and Poland, targeting a group that controlled roughly 25% of the global ransomware market.
Stories Covered
Operation Kronos Seizes LockBit’s Infrastructure and Turns Its Own Website Against It
LockBit was not simply one of the larger ransomware groups — it held an estimated 25% of the ransomware market, a share so dominant that no other group came close in the double digits. The US alone documented more than 1,700 victim organizations spanning financial services, food production, schools, transportation, and government. Analysts described it as the Walmart of ransomware: politically neutral, operationally disciplined, and run like a business optimizing for maximum return. LockBit pioneered the ransomware-as-a-service model at scale — affiliates would gain initial access to target networks, deploy LockBit’s tooling to encrypt data and exfiltrate it, and split the ransom with LockBit operators. The gang had accumulated enough operational history that it openly operated a dark web leak site displaying countdown timers next to victim names: when the clock hit zero, stolen data would be published unless the ransom was paid. The site was updated nearly daily.
On February 19, 2024, authorities from the UK NCA, FBI, US Department of Justice, Europol, and agencies in France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland, and Germany announced they had disrupted LockBit’s core infrastructure under Operation Kronos. Law enforcement seized servers running in the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK — 34 servers total across the affiliate and operator network. More than 200 cryptocurrency accounts linked to the gang were frozen. The FBI also obtained decryption keys and made them available to LockBit victims to recover encrypted data without paying a ransom. Two Russian nationals were charged with deploying LockBit ransomware tools against companies worldwide. The most tactically pointed move: law enforcement took control of LockBit’s own dark web website and used it against the group — replacing the gang’s victim gallery with a message reading, “We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more.” The site then displayed countdown timers — LockBit’s own signature tactic — pointing to a scheduled disclosure of the gang’s internal data rather than victim data.
LockBit’s operators posted on an encrypted messaging app claiming their PHP-based servers had been targeted but that backup servers without PHP remained unaffected. Security researchers from VX Underground shared screenshots confirming the affiliate control panel had been replaced by the law enforcement message. The FBI did not immediately confirm or deny the backup server claim. LockBit had been discovered in 2020 when its malware first appeared on Russian-language cybercrime forums; despite this, the group publicly claimed to be apolitical and located in the Netherlands, motivated purely by financial return. By September 2023, the group had collected at least $300 million in ransoms from more than 1,000 victims. Operation Kronos represented a rare multi-continent coordinated action of sufficient scale to match what LockBit had built — a point that itself illustrates how significant the threat had become before law enforcement moved.
Father-Son Duo Arrested in Ukraine, Warsaw Member Identified in Poland
On February 21, 2024, Ukrainian police announced the arrest of a father and son in Ternopil, western Ukraine, both of whom were identified as LockBit affiliates. The pair had carried out attacks targeting government institutions and corporations in France. Mobile phones and computer equipment used in the attacks were seized. Their arrest came as part of Operation Kronos and was carried out with assistance from a French cyber police unit — France had been a driving force behind the operation after opening its own LockBit investigation in 2020. By the time of the takedown, France had recorded more than 200 LockBit victims within its borders, including hospitals, municipal governments, and businesses. In January 2022, LockBit had publicly claimed on its leak site to have breached French entities — a provocation that accelerated French law enforcement’s push for coordinated international action. In Poland, a 38-year-old Warsaw man was identified and arrested as a LockBit gang member, also with assistance from French cyber police units.
The arrests illustrated how Operation Kronos extended beyond seizing infrastructure to actively targeting the affiliate layer — the operators who did the actual intrusions and ransomware deployments on behalf of LockBit’s core. This matters because ransomware-as-a-service operations are distributed by design: taking down central infrastructure degrades capability, but affiliates with their own access and tooling can rebuild or migrate to a competing platform. The seizure of 200+ cryptocurrency accounts across the network complicated the financial picture for any surviving affiliates. The broader question left open was whether the core LockBit developers — the people who built and maintained the encryption tooling — were among those arrested or whether only affiliates and lower-level members had been taken. If the technical core survived, a rebuild was possible. If not, other ransomware groups — Black Cat being the next largest — would absorb displaced affiliates and market share, though likely with increased caution given the heat Operation Kronos demonstrated law enforcement could bring.
Leave a Reply