Hack the hacker: How LockBit's ransomware empire crumbled

In 2024, the cybersecurity world witnessed something extraordinary: law enforcement did not just chase a ransomware group, they beat it at its own game. LockBit, once the most prolific ransomware operation in the world, found itself staring down the same kind of ticking countdown timer it had used to terrify thousands of victims. This time, the clock was counting down to its own takedown.

The rise and reign of LockBit

LockBit first appeared in 2019 under the name “ABCD ransomware” before evolving into a professionalized criminal enterprise. Built on an affiliate model, LockBit shared ransom profits with independent partners who executed attacks using its tools and infrastructure.

By the early 2020s, the group had become a dominant force in the ransomware economy. Their operations targeted corporations, hospitals, and governments across the globe, using a mix of custom data-theft utilities and highly organized extortion tactics. LockBit ran like a corporation itself, maintaining dark web leak sites, publishing press releases, and even running a “bug bounty” program for hackers to improve their malware.

Their professionalism, combined with ruthless efficiency, earned them both respect and fear inside the cybercriminal underground and made our Nastest Malware list three years in a row.

Operation Cronos: Turning the tables

On February 19, 2024, that empire began to crumble. In an unprecedented effort known as Operation Cronos, law enforcement agencies from ten countries led by the UK’s National Crime Agency with support from Europol, the FBI, and others, seized LockBit’s servers and digital assets.

The scale was staggering. Authorities dismantled infrastructure across multiple nations, recovered thousands of decryption keys, froze cryptocurrency wallets, and disrupted the group’s entire command-and-control network.

What made this operation remarkable was its psychological precision. Instead of quietly taking down the leak sites, investigators replaced them with law enforcement banners styled exactly like LockBit’s own ransom pages, complete with countdown timers ticking toward official press conferences rather than ransom deadlines. It was poetic justice and a clear message: the hunters had become the hunted.

The art of digital trolling

The takedown was not just technical. It was psychological warfare. Law enforcement did not simply erase LockBit’s presence; they humiliated it.

Authorities published evidence from seized systems directly on LockBit’s former leak portals, exposing internal communications, affiliate details, and proof that the group had lied to its own partners. Despite promises to delete stolen data after payments, investigators revealed that LockBit had secretly kept it all.
For affiliates, that revelation was devastating. The brand that once symbolized reliability in the criminal world now looked untrustworthy and broken. Within weeks, splinter groups began to form, each claiming to be the true successor, but none gaining the same momentum.

The human behind the machine

In May 2024, the investigation reached its climax when authorities publicly identified Dmitry Yuryevich Khoroshev, known online as LockBitSupp, as the group’s leader. The 26-count indictment accused him of overseeing LockBit’s operations, managing affiliates, and personally profiting from extortion payments.
 

Alongside the criminal charges came international sanctions, financial freezes, and a reward of up to 10 million dollars for information leading to his arrest. These actions effectively made it illegal for organizations in many Western countries to pay LockBit ransoms, cutting off the group’s primary source of income.

For a criminal who built an empire on anonymity, being unmasked was the ultimate defeat.

When the hackers got hacked

If Operation Cronos marked the beginning of LockBit’s end, what came next all but sealed it. In May 2025, unknown attackers breached what was left of LockBit’s infrastructure and replaced their internal dashboards with the message:

“Don’t do crime, CRIME IS BAD xoxo from Prague.”

The attackers then leaked a massive database containing Bitcoin addresses, negotiation transcripts, and stolen affiliate credentials. The leak offered investigators a rare look inside the mechanics of a ransomware business, from ransom negotiations to wallet activity, and confirmed that LockBit’s once-formidable empire had splintered under the combined weight of law enforcement and betrayal.

Fragmentation and fallout

Following the takedown, the broader ransomware landscape fractured. Many affiliates who once relied on LockBit’s brand and infrastructure migrated to smaller groups or launched their own operations.

New names began to dominate headlines, but none commanded the same scale or cohesion. Law enforcement agencies noted that while ransomware incidents continued, coordination among criminals declined. The trust that once made large-scale ransomware-as-a-service operations so effective had been permanently shaken.

LockBit’s comeback: The ongoing threat

Despite the unprecedented disruption of its infrastructure and leadership, LockBit is once again making headlines with its latest attempt at revival. In September and October 2025, multiple cybersecurity advisories confirmed the arrival and active deployment of LockBit 5.0, a new variant considered the group’s most technically sophisticated release to date.

LockBit 5.0 features enhanced evasion techniques, broader targeting across Windows, Linux, and ESXi environments, and faster encryption speeds. Analysts warn that the group has begun recruiting new affiliates and rebuilding its network, demonstrating both resilience and determination. Warnings issued to critical sectors, including healthcare, highlight an uptick in targeted attacks using this latest version and encourage organizations to heighten their defenses.

This resurgence is a reminder that even the most celebrated takedowns are milestones, not endings. LockBit’s renewed activity reinforces the need for continuous vigilance, rapid intelligence sharing, and persistent countermeasures. For defenders, it underscores a lasting truth: flipping the script against ransomware requires not just success, but sustained effort and adaptation.

Lessons for defenders

LockBit’s collapse and attempted comeback offer clear lessons for defenders and policymakers alike:

• International coordination works. The success of Operation Cronos proved that when agencies share intelligence and act together, even the most sophisticated criminal networks can be disrupted.
• Cutting off the money hurts most. Freezing wallets and imposing sanctions proved more damaging than any single technical action.
• Exposure breaks mystique. Naming Khoroshev publicly destroyed LockBit’s aura of invincibility and sent a powerful message to other operators.
• Persistence is essential. The reappearance of LockBit 5.0 shows that while disruption matters, long-term resilience demands ongoing collaboration.

A turning point in the ransomware war

The takedown of LockBit marked a milestone in global cyber enforcement. For the first time, a major ransomware empire was not only disrupted but dismantled, humiliated, and exposed. The same countdown clocks that once terrorized victims now serve as symbols of accountability.

LockBit’s story is a reminder that even in the digital underground, no one is untouchable. When law enforcement adapts, collaborates, and matches criminals’ ingenuity, the balance of power can shift.

The war against ransomware is far from over, but Operation Cronos proved that defenders can take back control, one takedown at a time.