Cryptocurrency Fraud , Fraud Management & Cybercrime , Ransomware

Binance Restricts 85 LockBit Crypto Wallets

Authorities Uncover 30,000 LockBit Bitcoin Addresses
Binance Restricts 85 LockBit Crypto Wallets
Some cryptocurrency accounts associated with LockBit are now restricted - but many others aren't. (Image: Shutterstock)

Cryptocurrency trading platform Binance restricted access to 85 accounts as part of an action against the LockBit ransomware affiliates, and authorities estimated that members of the now-defunct ransomware-as-a-service operation had pocketed "hundreds of millions" in ransom.

See Also: OnDemand Panel Discussion | Using Cyber Intelligence for Fraud Prevention

Police from the United Kingdom, the United States, and Europe seized over 35 LockBit servers and replaced the group's dark web data leak page with a seizure notice on Monday. As part of the action dubbed Operation Cronos, police confiscated LockBit source code, affiliate back-end servers and a trove of data (see: Breach Roundup: More Fallout From the LockBit Takedown).

In an update on Friday, authorities said they had identified 30,000 bitcoin wallets linked to the ransomware group as part of an operation conducted with crypto research firm Chainalysis.

The actions resulted in Binance seizing 85 accounts tied to the group, although authorities estimate more than 500 affiliate accounts continue to remain active.

Further analyses of LockBit crypto wallets from July 2022 to this month reveal that the group pocketed hundreds of millions in ransom, nearly 20% of which was paid by LockBit affiliates. Of these, nearly $114 million remain unspent, authorities said on Friday.

"LockBit's activity on the blockchain illustrates its sheer longevity relative to other ransomware-as-a-service strains," Jackie Burns Koven, head of cyber threat intelligence at Chainalysis, said. "Based on LockBit's cryptocurrency activity, we can also corroborate the large numbers of affiliates deploying LockBit," she told Information Security Media Group.

The seizure of bitcoin wallets is the latest in a series of actions taken by law enforcement agencies against the ransomware group. On Thursday, email providers shuttered 14,000 email accounts associated with LockBit affiliates.

Since many affiliates continue to use advanced evasion tactics, crypto experts say identifying and arresting these actors will likely remain a challenge for law enforcement agencies.

Evasion tactics include using mixer services to obscure their profit origin and converting fiat currency to direct "crypto for cash" via unregulated exchanges and cryptocurrency ATMs - practices that often make tracking and blocking their activity difficult and time-sensitive, said Joseph Buckley, director at specialist consultancy firm Control Risks.

In one case Chainalysis observed, LockBit was working with an Iranian ransomware strain and depositing money to an Iranian exchange - likely indicating that it has affiliates working from Iran.

The fact that many LockBit affiliates tend to operate outside the jurisdiction of Western law enforcement agencies could also make arrests difficult - and possibly allow LockBit to regroup, Buckley said.

"Currently, law enforcement have not disclosed any arrests of the core members of LockBit. If this remains the case, in the long term, this takedown is unlikely to have a significant impact on the cybercriminal landscape because LockBit's core members were not arrested," he said.

Koven did not rule out a LockBit reemergence. She said Chainalysis will be monitoring how "LockBit affiliates adapt after the takedown" as well as how other ransomware actors change their operations "in light of the actions taken against LockBit."


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.