An international law enforcement operation has led to the seizure of multiple darknet domains operated by LockBit, one of the most prolific ransomware groups, marking the latest in a long list of digital takedowns.
While the full extent of the effort, codenamed Operation Cronos, is presently unknown, visiting the group’s .onion website displays a seizure banner containing the message “The site is now under the control of law enforcement.”
Authorities from 11 countries, including Australia, Canada, Finland, France, Germany, Japan, the Netherlands, Sweden, Switzerland, the U.K., and the U.S., alongside Europol participated in the joint exercise.
Malware research group VX-Underground, in a message posted on X (formerly Twitter), said the websites were taken down by exploiting a critical security flaw impacting PHP (CVE-2023-3824, CVSS score: 9.8) that could result in remote code execution.
Law enforcement agencies also left on a note on the affiliate panel, stating they are in possession of the “source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more,” adding it was made possible due to LockBit’s “flawed infrastructure.”
LockBit, which emerged on September 3, 2019, has been one of the most active and notorious ransomware gangs in history, claiming more than 2,000 victims to date. It’s estimated to have extorted at least $91 million from U.S. organizations alone.
According to data shared by cybersecurity firm ReliaQuest, LockBit listed 275 victims on its data leak portal in the fourth quarter of 2023, dwarfing all its competitors.
There is no word as yet of any arrest or sanctions, but the development is a definite blow to LockBit’s near-term operations and arrives two months after the BlackCat ransomware operation was dismantled by the U.S. government.
The coordinated takedown also coincides with the arrest of a 31-year-old Ukrainian national for gaining unauthorized access to Google and online bank accounts of American and Canadian users by deploying malware and selling access to other threat actors on the dark web for financial gain.
