Lockbit Currently Holds Over $110 million in Bitcoin it Hasn’t Spent

The LockBit ransomware syndicate has accumulated more than $125 million in ransom payments over the past 18 months, according to an analysis of numerous cryptocurrency wallets linked to its operations.

In the aftermath of Operation Cronos, which targeted LockBit, the National Crime Agency (NCA) in the U.K., in collaboration with blockchain analysis firm Chainalysis, identified over 500 cryptocurrency addresses that the group often used.

Post-LockBit Takedown Financial Insights After infiltrating LockBit’s infrastructure, law enforcement agencies gained access to 30,000 Bitcoin addresses utilized by the group to manage their ransom proceeds.

Among these addresses, over 500 were active on the blockchain, having received more than $125 million in ransom payments between July 2022 and February 2024, based on current Bitcoin valuation.

The investigation revealed that more than 2,200 BTC, equivalent to over $110 million at the present exchange rate, remained unspent at the time of LockBit’s disruption.

Lockbit Funds Constituents

According to a statement from the NCA, “these funds represent a combination of both victim and LockBit payments,” with a significant portion of the sum constituting the 20% fee paid by affiliates to the ransomware developers.

This implies that the total sum paid by victims to avert data leaks is substantially higher than the disclosed figure, as the agency emphasized that the threat actor did not consistently delete or fully eradicate stolen data, even after the ransom was paid.

Law enforcement authorities assert that the amounts uncovered during the investigation suggest that the actual ransom sums amount to hundreds of millions of dollars.

It is noteworthy that these staggering figures only account for 18 months of LockBit’s cybercriminal endeavours.

“Given that LockBit’s confirmed attacks span over four years, totalling well over 2,000, this indicates that their global impact amounts to the realm of multi-billion dollars,” noted the UK’s National Crime Agency.

Nearly four years in Operation LockBit, initially known as ABCD when it emerged in September 2019, primarily targeted prominent organizations such as Boeing, the UK Royal Mail, Continental, Bangkok Airways, and Accenture.

The syndicate became the most active ransomware group, responsible for a majority of such attacks in 2023, continuously evolving its tactics through various iterations of file-encrypting malware (including LockBit 2.0, LockBit 3.0, LockBit Green), with a new version reportedly under development.

Law enforcement agencies from ten countries collaborated to seize control of the syndicate’s infrastructure, coordinate its disruption, gather intelligence from the servers, effectuate arrests, and impose sanctions.

Despite the control established over the hacker’s infrastructure, the leaders of the group and most affiliates remain unidentified.

To incentivize the disclosure of information about LockBit ransomware group members and their associates, the U.S. State Department is offering rewards of up to $15 million.