The United States has charged a Russian-Israeli dual citizen, Rostislav Panev, 51, for his alleged involvement with the notorious Lockbit ransomware group, according to the Department of Justice (DOJ). Panev, identified as a developer for Lockbit since its inception in 2019, was arrested in Israel in August and is awaiting extradition to the U.S.

Lockbit emerged as one of the most active and destructive ransomware groups globally, responsible for attacking over 2,500 victims across 120 countries. These victims included small businesses, large multinational corporations, hospitals, schools, and government agencies.

During his tenure with Lockbit, Panev is believed to have played a critical role in the group’s operations, which followed a ransomware-as-a-service (RaaS) model. This approach involved developers and administrators working alongside affiliates who executed attacks. Extortion payments, estimated at over $500 million, were shared between these collaborators, causing victims significant financial and operational disruptions.

Attorney General Merrick Garland emphasized the DOJ’s commitment to combating ransomware threats, stating, “The Justice Department’s work going after the world’s most dangerous ransomware schemes includes not only dismantling networks, but also finding and bringing to justice the individuals responsible for building and running them.”

Lockbit was first identified in 2020 on Russian-language cybercrime forums. It quickly gained notoriety for its aggressive attacks and extortion tactics, targeting a wide range of sectors, including critical infrastructure and law enforcement agencies.

The charges against Panev follow several notable actions against the group. In July, two Russian members of Lockbit, Ruslan Astamirov and Mikhail Vasiliev, pled guilty to related crimes. Earlier in February, international law enforcement agencies, including Britain’s National Crime Agency and the FBI, seized several Lockbit-operated websites.

Despite these efforts, the ransomware group briefly reappeared online, defiantly stating, “I cannot be stopped.” However, experts, including Jeremy Kennelly, a cybersecurity analyst with Google’s parent company Alphabet, note that the enforcement actions have dealt a significant blow to Lockbit’s reputation. Kennelly remarked that the crackdowns have been “critical to ensuring that ransomware and extortion are seen as crimes for which there are consequences.”

While affiliates may have shifted alliances to other cybercriminal groups, the targeted efforts against Lockbit underscore a broader initiative to combat global ransomware networks and hold their architects accountable.