Through the looking glass: Security researchers are increasingly taking the fight to cybercriminals, actively tracking down and even infiltrating their groups – the trend is part of a broader strategy to gather intelligence and disrupt cybercriminal activities from within. They'll often go full James Bond, creating fake personas and engaging in undercover operations to gain the trust of cybercriminals. This is the story of one such researcher.
In a tale that reads like a modern day cyber thriller, cybersecurity researcher Jon DiMaggio successfully unmasked the elusive leader of the notorious LockBit ransomware gang. By adopting a fake cybercriminal persona, DiMaggio infiltrated the gang's inner circle, ultimately identifying its mastermind, Dmitry Khoroshev, before law enforcement could publicly reveal his identity. This daring operation, which DiMaggio revealed at Def Con, is a tale of strategic deception as well as the psychological toll such a game can take.
DiMaggio, a researcher at Analyst1, began his infiltration by creating sockpuppet accounts to interact with individuals connected to LockBitSupp, the online alias used by Khoroshev. DiMaggio was able to develop a credible cybercriminal persona by monitoring conversations and understanding the gang's culture and preferences.
Despite an initial rejection to join the gang, DiMaggio maintained communication with LockBitSupp, developing a friendly rapport. He engaged in casual conversations, asking questions about the gang's operations and tactics.
In January 2023, DiMaggio published a report on his findings, revealing his infiltration and burning his fake personas. Surprisingly, LockBitSupp took this lightly, even joking about it in forums, which intrigued DiMaggio.
The relationship evolved into a playful rivalry, with LockBitSupp using DiMaggio's LinkedIn photo as an avatar in forums. DiMaggio also trolled the gang by pretending to extort them, which caused concern among some cybercriminals.
#LockBit, You have until 15 August to pay $10 million for my research conducted to infiltrate and identify the secrets you have been hiding. ALL AVAILABLE DATA WILL BE PUBLISHED! (in the #Ransomware Diaries Vol 3 -LockBit's Secrets!) Its time to pay!ð pic.twitter.com/SAKty4SD6n
– Jon DiMaggio (@Jon__DiMaggio) August 3, 2023
During this period, DiMaggio noted that LockBitSupp disappeared from the scene for about 12 days. Upon returning, LockBitSupp appeared agitated but continued to communicate with DiMaggio. At the same time, LockBit took responsibility for a cyberattack on a children's hospital in Chicago, marking their second hospital attack after targeting Toronto's SickKids hospital.
These actions deeply frustrated DiMaggio, almost prompting him to send an angry message to LockBitSupp, declaring his intent to pursue him. However, the researcher ultimately refrained.
After LockBit's website was taken down by law enforcement, DiMaggio concentrated on identifying LockBitSupp. An anonymous tip led him to a Yandex email address, which helped him trace the identity to Dmitry Khoroshev.
Unexpectedly, the authorities updated the seized LockBit website, announcing their intention to reveal the identity of its administrator, LockBitSupp.
At this point, DiMaggio, who had developed a working relationship with the FBI as a private industry partner, contacted them to report that he had identified Khoroshev as the administrator of LockBit. DiMaggio planned to write a report on his findings and sought the FBI's advice on whether he should delay publishing it. He reasoned that if the FBI advised him to wait, it would likely confirm he had identified the correct individual.
The FBI advised him to wait.
As the Department of Justice prepared to reveal LockBitSupp's identity, DiMaggio finalized his report. Eventually, the DOJ named Dmitry Khoroshev as LockBit's leader, allowing DiMaggio to release his own detailed findings.
"This was my first time doxing somebody. And well, they released his name, I released everything else on this dude. I had where he lived, I had his phone numbers, current and previous," DiMaggio told TechCrunch. "And boy, it was difficult to not just call this guy up on the phone, having his legitimate phone number prior to the indictment, just to see if I had the right guy, but I didn't."
DiMaggio published a message to Khoroshev, advising him to retire from cybercrime.
"LockBitSupp, you are a smart guy. You said it's not about the money anymore, and you want to have a million victims before you stop, but sometimes you need to know when to walk away. It is that time, my old friend," DiMaggio wrote.
DiMaggio hasn't heard from Khoroshev since. But he has heard rumors that Khoroshev wants retribution, though nothing has happened.
"Nobody gets out of this unscathed," said DiMaggio, "when you go f – k with criminals like this."