LockBit’s earnings in the multi-billion-dollar territory – NCA


The UK National Crime Agency (NCA) obtained over 30,000 Bitcoin addresses from LockBit’s systems. Authorities estimate the gang and its affiliates obtained billions of dollars over its four-year existence.

LockBit performed thousands of confirmed ransomware attacks over the gang‘s lifetime, with NCA believing that its impact can be measured “in the multi-billions of dollars globally.”

Operation Cronos, a months-long operation by multiple law agencies worldwide, allowed authorities to obtain a staggering 30,000 Bitcoin wallet addresses from LockBit’s systems.

Over 500 addresses are still active on the blockchain, receiving around £100 million ($127 million), calculated at current bitcoin value. The UK’s South West Regional Organized Crime and Chainalysis analysis shows over 2,200 unspent bitcoins, roughly equal to £90 million ($114 million).

“LockBit-exposed exchange accounts are also being targeted, with hundreds of thousands of USD worth of crypto assets across more than 85 accounts currently restricted by Binance,” the agency said.

NCA believes the hundreds of millions of dollars discovered represent the 20% fee that affiliates paid LockBit to use the gang’s ransomware. Think of it as a subscription fee that cybercriminals pay so they can be part of the gang.

To follow the NCA’s logic, the discovered funds represent only a fifth of the actual ransom money paid to the affiliates. What’s more, these funds are almost certainly only a tiny part of the overall ransoms paid, as the receiving period of the addresses only covers 18 months of LockBit’s crime spree, while the gang has been active for four years.

“Given the confirmed attacks by LockBit over their four years in operation total well in excess of 2,000, this suggests their impact globally is in the region of multi-billions of dollars,” the NCA said.

Earlier this week, authorities crippled LockBit’s operations by compromising the gang’s primary platform and other critical infrastructure.

Thirty-four of the gang’s servers and over 200 cryptocurrency accounts linked to the criminal organization were seized, and arrests were made in Poland and Ukraine. According to Ukrainian authorities, a father and son duo ran LockBit’s operation from Ternopil, a town in Western Ukraine.

Since authorities infiltrated LockBit’s systems and mapped its core activity, decryption keys will be distributed to LockBit’s victims to unlock the data that the criminals encrypted.

The LockBit group first appeared on the ransomware scene sometime in late 2019, according to industry insiders. Since then, the gang has climbed to the top of the food chain, topping many lists in terms of victimized organizations.

According to the Cybernews Ransomlooker, a ransomware monitoring tool, LockBit accounted for 47% of all publicly announced ransomware victims over the last 12 months.