Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label LockBit. Show all posts
Ransomware
BlackCat Cyber Attacks Extortion FinCEN LockBit Ransomware

FinCEN: Ransomware Gangs Extorted Over $2.1B from 2022 to 2024

 

FinCEN’s most recent report has revealed that ransomware activity reached a new peak in 2023, accumulating over $1.1 billion in payments before a decline in 2024, as law enforcement pursued major gangs such as ALPHV/BlackCat, LockBit. In general, FinCEN data reveals $2.1 billion in ransoms paid from 2022 through 2024, and about $4.5 billion from 2013 to 2024. 

FinCEN’s findings draw on thousands of Bank Secrecy Act reports, that registered 4,194 ransomware incidents between January 2022 and December 2024. Ransomware earnings peaked 2023 with 1,512 incidents and a 77% increase in payouts from 2022, but dropped to nearly $734 million in 1,476 incidents during 2024, decrease attributed to the global disruption of the BlackCat and LockBit operations. These takedowns left affiliates to either transition to other ransomware brands or try to rebuild. 

The report does note that most single ransom amounts were under $250,000, although some sectors consistently took the biggest hits. By number of incidents, manufacturing, financial services, healthcare, retail, and legal services were the most frequently targeted industries from 2022 to 2024. By total losses, financial services led with about $365.6 million paid, followed by healthcare, manufacturing, science and technology, and retail, each suffering hundreds of millions in extorted funds.

Over the period under review, FinCEN counted 267 unique ransomware families; however, a handful caused the majority of distraught. Akira accounted for the most reports (376), followed by ALPHV/BlackCat with the highest earnings at close to $395 million, and LockBit with $252.4 million. As for the top 10 most active groups, they were a combined $1.5 billion between 2022 and 2024, featuring Black Basta, Royal, BianLian, Hive, Medusa, and Phobos. 

The flow of money is still largely in cryptocurrency, with around 97% of ransom payments in Bitcoin and the remainder in Monero, Ether, Litecoin and Tether. Notification of Ransomware Incident to FBI FinCEN stressed that routine, detailed reporting of ransomware incidents to the FBI and ransom payments to FinCEN continues to be critical to enable tracking of funds, further disrupting them, and sustaining the pressure that resulted in the decline noted in 2024.
Read more »
Windows
Dark Web Dire Wolf Ghost LockBit malware Ransomware Windows

Dire Wolf Gang Hits Tech and Manufacturing Sectors, Targets 11 Countries


New Group Dire Wolf Attacks

A new group, known as “Dire Wolf”, launched last month, has targeted 16 organizations worldwide, primarily in the manufacturing and technology sectors. The group deploys a double extortion technique for ransom and uses custom encryptors made for particular targets. Trustwave SpiderLabs experts recently found a ransomware sample from the Dire Wolf group and learned about its operations. 

The targets were from 11 countries, and Thailand and the US reported the highest number of incidents. At the time of this story, the Dire Wolf had scheduled to post leaked data of 5 out of 16 victims on its website due to not paying ransoms. 

"During investigation, we observed that the threat actors initially publish sample data and a list of exfiltrated files, then give the victims around one month to pay before releasing all the stolen data," said Trustwave Spiderlabs. The ransom demand from one of the victims was approximately $500,000,” it added.

A deep dive into the incident

The experts studied a Dire Wolf ransomware sample, which contained UPX- a common technique used by hackers to hide malware and restrict static analysis. 

Upon unpacking, the experts discovered that the binary was in Golang, a language that makes it difficult for antivirus software to find the malware written in it. After execution, the ransomware checks for the encryption and presence of the mutex "Global\direwolfAppMutex" in the system to ensure a single operation runs at a time. If any condition is met, the ransomware removes itself and ends the execution.

If the condition is not met, the ransomware disables event logging and ends specific processes that can stop its completion.  One such function is designed to “continuously disable Windows system logging by terminating the 'eventlog' process … by executing a Powershell command," experts said. It also stops apps and services, and executes a series of Windows commands to stop system recovery options. 

How to stay safe

Dire Wolf reminds us that new threat actors are always emerging, even when infamous gangs such as LockBit and Ghost are disrupted. Organizations are advised to follow robust security measures, securing endpoints to stop initial access and also patch flaws in the systems to avoid exploits.

Read more »
US Federal
CTU Cyber CyberCrime Cybersecurity CyberThreat DragonForce LockBit malware Qakbot US Federal

US Federal Authorities Disrupt Growing Malware Pyramid Network

 


A new study by Secureworks' Counter Threat Unit (CTU) has revealed that ransomware operations have shifted significantly in response to heightened law enforcement crackdowns, forcing threat actors to evolve their strategies accordingly. There has been a tradition of many ransomware groups relying on affiliate models, including the LockBit gang, which involves recruiting external partners to carry out attacks in exchange for a share of the ransom payment. 

Cybercriminal organizations are beginning to be forced to adjust in order to maintain profitability and operational reach in the face of sustained global enforcement efforts and coordinated takedowns, forcing them to rethink how they operate so they can remain profitable and profitable. In response to the changing landscape in ransomware, groups such as DragonForce and Anubis have been observed to adopt innovative frameworks for attracting affiliates and maximizing profits. 

In addition to evading legal scrutiny, these emerging models also appear to be designed in such a way as to offer collaborators more incentives and flexibility than previously offered by traditional methods. In a hostile environment in which traditional tactics are becoming increasingly risky and unsustainable, these groups are readjusting their internal hierarchies and engagement strategies in order to maintain momentum. 

There is a clear indication that this evolution indicates that the underground ransomware economy is undergoing a significant transformation. This shift is being driven by the growing influence of international cyber defense efforts, as well as criminals' ability to adapt to escalating pressure. It is estimated that more than 700,000 computers were infected worldwide by the malware campaign at the centre of the investigation, including approximately 200,000 systems within the United States. 

Despite the prevalence of this infiltration, 58 million dollars in financial losses have been directly linked to ransomware activities in the last 24 hours, highlighting the scale and sophistication of this criminal network. According to U.S. Attorney Martin Estrada, Operation Duck Hunt has been the largest technological and financial operation ever conducted by the Department of Justice against a botnet. The operation is a comprehensive enforcement initiative that is aimed at capturing the infrastructure behind the botnet, a process that has been ongoing for several years. 

There was a successful operation in which 52 servers critical to the botnet were taken down and more than $8.6 million in cryptocurrency assets were seized, used to facilitate or conceal illicit gains. In spite of these remarkable achievements, cybersecurity experts caution against interpreting the disruption as a definitive victory. As is often the case when it comes to cybercrime enforcement, what appears to be the end may actually only be a temporary setback when it comes to the criminal activity. 

A cybercriminal ecosystem is resilient, adaptable, and able to evolve very quickly, which results in the emergence of new variants, techniques, or successor operations in a short period of time to fill the void left behind when a network has been dismantled. In the dynamic and ever-evolving cyber threat landscape, it is important to recognize that federal agencies are capable of performing complex takedowns, but that they also face a persistent challenge in achieving lasting impact. 

There has been a recent international crackdown targeting a particular type of malicious software called "initial access malware," which is one of the most critical enablers in the overall lifecycle of cyberattacks, according to statements released by Europol and Eurojust. As malware strains are typically deployed as early as possible in the course of a cyber-attack, they allow threat actors to quietly breach targeted systems and establish a foothold from which additional malicious payloads can be deployed, such as ransomware. 

Attempting to disrupt the foundational layer of the so-called "cybercrime-as-a-service" ecosystem by dismantling these tools was an important part of the authorities' effort. Its aim was to provide cybercriminals worldwide with flexible and scalable access to the services they needed. As part of the coordinated operation, a number of well-known malware variants were neutralized, including Bumblebee, Lactrodectus, Qakbot, DanaBot, HijackLoader, Trickbot, and WarmCookie, each of which has played a significant role in numerous ransomware attacks and data extraction. 

Several authorities emphasized that the strike of these elements at their root greatly undermines the ability of downstream criminal operations by preventing them from functioning and limit the ability of malicious actors to carry out large-scale attacks, as well as significantly limiting the capabilities of the malicious actors. Nearly 50 command-and-control servers were successfully neutralized in Germany, where a significant portion of the law enforcement activity was concentrated. 

There has been an investigation conducted by the German Federal Criminal Police Office (BKA) and the Frankfurt Public Prosecutor's Office for Cybercrime on the grounds of organized extortion and suspected affiliations with foreign criminal organizations based on suspected organized extortion. In response to this effort, international arrest warrants were issued for twenty individuals, most of whom were Russian nationals, and several search operations were conducted specifically to investigate these individuals. 

Continuing Operation Endgame, which was regarded as the largest coordinated effort ever undertaken to fight botnets, this sweeping enforcement action represents a continuation of that effort. In addition to acquiring €21.2 million in assets, the operation has also demonstrated the global increasing momentum behind collaborative efforts to dismantle high-impact cybercrime infrastructure since it was launched in 2024. Defendant Gallyamov and his co-conspirators allegedly orchestrated highly targeted spam bomb campaigns targeting members of the employees of victim organizations.

The attacks were designed to overwhelm recipients' inboxes with a barrage of messages, creating confusion and increasing the sense of urgency within them. The attackers then exploited this chaos by impersonating an internal IT employee, contacting overwhelmed victims by impersonating a technical support representative, and offering technical assistance. 

Once they had established trust and granted access, the attackers were quick to get their hands dirty—extorting data, deploying malware, encrypting systems, and ultimately demanding ransoms. In this case, the backdoor was built using the highly sophisticated Qakbot malware, which was used to exploit compromised systems to deploy malicious payloads further encoding the credentials of the target systems, as well as collect login credentials across networks. Such access was a valuable commodity among the cybercriminals. 

In the past, it has been suggested that Gallyamov and his network were monetizing these intrusions by selling access to operators of some of the most dangerous ransomware strains, such as REvil, Black Basta, and Conti, which are all dangerous strains of ransomware. In some cases, these ransomware groups are alleged to have compensated Gallyamov not only with direct payments but also by dividing a portion of the extorted profits with Gallyamov. 

In April 2025, U.S. authorities seized more than 30 bitcoins linked to Gallyamov as well as approximately $700,000 in illicit assets. Although these financial hits may have been significant, the primary suspect remains on the loose in Russia, out of reach of U.S. law enforcement due to the lack of extradition agreements. Despite the fact that Gallyamov faces a high probability of being captured, federal officials said that it would be unlikely that he would be brought to justice unless he voluntarily left the relative safety of his country. 

The incident has served as a stark reminder of just how sophisticated social engineering and malware-based attacks are becoming as time goes by. Investing in enterprise-grade antivirus solutions and implementing advanced endpoint protection platforms are two of the best ways for organizations to protect themselves against such threats. In many ways, these tools can be of great benefit in detecting unusual behavior, isolating compromised systems, and preventing the rapid escalation of attacks into full-scale data breaches or ransomware attacks that cause financial losses or reputational harm to companies.
Read more »
Ransomware Platform
Cyber Attacks Data Leak LockBit Ransomware Platform

LockBit Ransomware Platform Breached Again, Ops Data Leaked

 

A breach of an administration panel used by the LockBit ransomware outfit resulted in the exposure of information that can be extremely valuable to law enforcement and the cybersecurity community.

The breach was discovered on May 7, when a domain linked with a LockBit administrator panel was vandalised to display the message "Don't do crime, crime is bad xoxo from Prague". The defaced page is also linked to an archive file containing information acquired from the stolen server. 

The leaked data includes private messages exchanged between LockBit affiliates and victims, Bitcoin wallet addresses, affiliate accounts, attack specifics, and malware and infrastructure details. 

Numerous cybersecurity specialists have examined the leaked data. The Bitcoin addresses could assist law enforcement, according to Christiaan Beek, senior director of threat analytics at Rapid7. 

In addition, Luke Donovan, head of threat intelligence at Searchlight Cyber, stated how the leaked data could benefit the cybersecurity community. According to the expert, the leaked user data is most likely related to ransomware affiliates or administrators. In the publicly available data, Searchlight Cyber has found 76 entries, including usernames and passwords.

“This user data will prove to be valuable for cybersecurity researchers, as it allows us to learn more about the affiliates of LockBit and how they operate. For example, within those 76 users, 22 users have TOX IDs associated with them, which is a messaging service popular in the hacking community,” Donovan noted.

He added, “These TOX IDs have allowed us to associate three of the leaked users with aliases on hacking forums, who use the same TOX IDs. By analysing their conversations on hacking forums we’ll be able to learn more about the group, for example the types of access they buy to hack organizations.” 

Searchlight Cyber discovered 208 chats between LockBit affiliates and victims. The messages, which stretch from December 2024 to April 2025, could be "valuable for learning more about how LockBit's affiliates negotiate with their victims". Indeed, Rapid7's Beek noted that the leaked chats illustrate how active LockBit affiliates were during the ransom negotiations. 

“In some cases, victims were pressured to pay just a few thousand dollars. In others, the group demanded much more: $50,000, $60,000, or even $100,000,” Beek stated. 

As for who is responsible for the LockBit hack, Searchlight Cyber's Donovan pointed out that the defacement message is identical to the message displayed last month on the compromised website of a different ransomware outfit, Everest. 

“While we cannot be certain at this stage, this does suggest that the same actor or group was behind the hack on both of the sites and implies that this data leak is the result of infighting among the cybercriminal community,” Beek added. 

On May 8, a statement released on LockBit's breach website admitted the vulnerability of an administration panel but minimised the impact, claiming that victims' decryptors and sensitive data were unaffected. 

LockBitSupp, the mastermind behind the LockBit operation, identified by authorities as Russian national Dmitry Yuryevich Khoroshev, has stated that he is willing to pay for information on the identity of the attacker. 

Law enforcement authorities across the globe have been taking steps to disrupt LockBit, but after inflicting a severe blow last year, the cybercrime operation remains operational and poses a threat to organisations.
Read more »
Software
Cyber Security LockBit Ransomware Software

New Ransomware 'SuperBlack' Abuses Fortinet Firewall Flaws to Launch Attacks

 


A newly discovered ransomware group known as Mora_001 is carrying out cyberattacks by exploiting security weaknesses found in Fortinet's firewall systems. The group is using a custom ransomware strain named SuperBlack to target organizations and lock their data for ransom.

The attackers are taking advantage of two security loopholes that allow them to bypass login protections on Fortinet devices. These issues, listed as CVE-2024-55591 and CVE-2025-24472, were made public by Fortinet earlier this year. Reports indicate that one of these vulnerabilities had been secretly exploited by attackers even before the company officially disclosed it.

Initially, Fortinet clarified that only one of the two bugs had been misused. However, a recent investigation suggests that the second vulnerability was also being exploited during the same period. Researchers from cybersecurity firm Forescout uncovered this while examining attacks that occurred in January and February 2025.


Step-by-Step Breakdown of the Attack

The cybercriminals begin their attack by finding exposed Fortinet firewall devices that haven’t been updated. They then use these security flaws to gain full control over the system.

Once inside, the attackers grant themselves the highest level of access, commonly known as 'super admin' rights. They either use web-based tools or direct network requests to make these changes.

After securing control, they create new administrator profiles with names like forticloud-tech, fortigate-firewall, or adnimistrator. These fake accounts are set up in a way that even if someone deletes them, automated tasks will recreate them instantly.

The hackers then scan the network to understand its layout and start moving from one system to another. They use stolen login details, create new VPN accounts, and rely on common tools like WMIC and SSH to spread across connected machines. They also try to break into systems that use security checks like TACACS+ or RADIUS.

Before locking files, the group copies important data using their own tools. Their main targets include file storage systems, database servers, and computers that control user access across networks. Once the data is stolen, the ransomware is triggered, encrypting files and leaving ransom messages behind.

To make it harder for experts to investigate the attack later, the hackers run a program called ‘WipeBlack’. This tool removes all traces of the ransomware from the system, leaving very little evidence.


Possible Links to a Bigger Ransomware Group

During their investigation, Forescout found that SuperBlack ransomware shares several similarities with the well-known LockBit ransomware group. The coding style and methods used appear to have been copied from LockBit’s earlier leaked tools.

However, it looks like SuperBlack is being operated separately and is not officially part of the LockBit group.

This incident is a reminder of the risks that come with outdated software. Organizations using Fortinet firewalls should install security updates immediately to avoid falling victim to such attacks. Staying updated is crucial in protecting sensitive information from advanced ransomware threats.



Read more »
Ransomware
Cyber Crime LockBit RaaS Ransomware

Look Who’s Back: LockBit Gears Up for a Comeback With Version 4.0

 



The infamous LockBit ransomware group has announced its return with the upcoming release of LockBit 4.0, set for February 2025. This marks a big moment for the group, which has had major setbacks over the last year. A global law enforcement crackdown shut down its operations, with arrests and recovery of nearly 7,000 decryption keys. As other ransomware groups like RansomHub take the lead, it remains uncertain if LockBit can reclaim its former dominance.  


Challenges Facing LockBit’s Return

LockBit's return is definitely not in the cards, though. The group did a lot of damage to itself, mainly because law enforcement was doing their job and newer Ransomware groups were outperforming it. Probably, the development of this 4.0 version involves deep changes in its codebase since the previous variant had been compromised. Experts therefore wonder whether LockBit manages to overcome these obstacles or gets back into the crowded field of ransomware services.

Another emerging favorite is ransomware-as-a-service, where groups start to sell their tools and infrastructure to affiliates in a specific ratio of the profits being extracted by that affiliate. LockBit will find itself competing not just with opponents such as RansomHub but also with variants from the same ransomware assembled using leaked source code.


What to Expect With LockBit 4.0

The group's announcement for LockBit 4.0 has bold claims, enticing potential affiliates with promises of wealth and success. The official launch is scheduled for February 3, 2025, and keys are provided to access their dark web leak site. While specific details about the 4.0 version are unclear, cybersecurity researchers are closely monitoring its development.

The group may also change its tactics to stay off the radar of international law enforcement. In the past, LockBit has been criticized for hitting high-profile victims, including the Toronto Hospital for Sick Children in 2022. After public backlash, the group issued an apology and provided a free decryption key, an unusual move for a ransomware organization.  


The Future

LockBit's ability to stage a successful comeback will depend on its capacity to adapt to the challenges it faces. With competitors gaining ground and its credibility in question, the group's path forward is uncertain. Cybersecurity experts will be watching closely to see how LockBit 4.0 impacts the ransomware infrastructure.

For now, organizations are advised to remain vigilant, as ransomware groups continue to improvise their tactics. Implementing robust security measures and staying informed about emerging threats are critical steps in defending against such attacks.



Read more »
Ransomwares
Akira Ransomware Cyber Security Cyber Threats LockBit Malware Attack malware prevention Malwares RansomHub Ransomwares

2024’s Most Dangerous Malware: A Wake-Up Call for Cybersecurity

 

OpenText, a leader in cybersecurity insights, has released its eagerly awaited “Nastiest Malware of 2024” list, highlighting some of the most destructive and adaptive cyber threats of the year. The list illustrates how ransomware and other malicious software continue to evolve, particularly regarding their impact on critical infrastructure. As cybercriminals refine their tactics, the need to strengthen cybersecurity measures has become increasingly urgent. Organizations around the globe are projected to boost their cybersecurity spending by 14.3% in 2024, raising total investments to over $215 billion, which reflects the magnitude of the challenges posed by these threats. 

LockBit claimed the title of the most dangerous malware of the year. This ransomware-as-a-service (RaaS) entity has demonstrated its ability to evade law enforcement efforts, including those from the FBI. Its ongoing attacks on critical infrastructure showcase its resilience and technical prowess. According to the FBI, LockBit was responsible for 175 reported attacks on essential systems in 2023 alone. The group’s bold ambition to target one million businesses emphasizes its threat level and solidifies its position in the ransomware landscape. 

Akira, a relatively new player, has rapidly gained infamy for its aggressive tactics. This ransomware has been particularly active in industries such as healthcare, manufacturing, and finance, using advanced encryption methods to cause significant disruption. Its retro-inspired branding contrasts sharply with its destructive potential, making it a popular choice among cybercriminal affiliates. 

Meanwhile, RansomHub, which may have connections to the infamous Black Cat (ALPHV) group, has made headlines with its high-profile attacks, including a daring strike on Planned Parenthood that compromised sensitive patient data. 

Other significant threats include Dark Angels, recognized for its precision-targeted attacks on Fortune 50 companies, and Play Ransomware, which takes advantage of vulnerabilities in FortiOS systems and RDP servers. Redline Stealer, while not technically ransomware, this type of threat significantly endangers organizations by focusing on stealing credentials and sensitive information. Each of these threats illustrates how cybercriminals are continually pushing the limits, employing advanced tactics to stay ahead of defenses. 

Muhi Majzoub, OpenText’s EVP and Chief Product Officer, notes that the increase in ransomware targeting critical infrastructure highlights the growing risks to national security and public safety. At the same time, the heightened emphasis on cybersecurity investments is a positive indication that organizations are recognizing these threats. However, the ability of ransomware groups to adapt remains a significant worry, as these criminals continue to leverage new technologies, including artificial intelligence, to create more sophisticated attacks. 

The findings from this year reveal a harsh truth: while progress in cybersecurity is being made, the rapid pace of innovation in malware development poses an ongoing challenge. As companies enhance their vigilance and dedicate more resources to protect vital systems, the battle against cyber threats is far from finished. The changing nature of these attacks requires ongoing adaptation, collaboration, and investment to protect the essential services that support modern society.
Read more »
Security Expert
Covert Operation Cyber Crime FBI LockBit Ransomware Security Expert

This Security Researcher Infiltrated the LockBit Ransomware Outfit and Exposed its Leader

 

As part of a larger plan to gather intelligence and stop cybercrime from within, security researchers are actively pursuing and even infiltrating the groups that commit cybercrimes. To win the trust of cybercriminals, they frequently adopt a James Bond image, fabricating identities and conducting covert operations. Here is the account of one such investigator. 

Cybersecurity expert Jon DiMaggio has uncovered the mysterious boss of the infamous LockBit ransomware group in a story that reads like a contemporary cyber thriller. Under the guise of a cybercriminal, DiMaggio managed to penetrate the inner ring of the gang and identify its leader, Dmitry Khoroshev, before the authorities could make his identity public. This remarkable operation, which DiMaggio detailed at Def Con, is a tale involving tactical deception as well as the psychological toll that such a game can take. 

DiMaggio, a researcher at Analyst1, began his infiltration by creating sockpuppet identities to contact with people associated with LockBitSupp, Khoroshev's online identity. DiMaggio was able to create a realistic cybercriminal personality by monitoring chats and learning about the gang's culture and preferences. Despite his initial refusal to join the group, DiMaggio continued contact with LockBitSupp and developed a close connection. He engaged in informal chats, enquiring about the gang's operations and strategies. 

DiMaggio submitted a report on his discoveries in January 2023, detailing his infiltration and the burning of his fictitious personas. Surprisingly, LockBitSupp took it lightly, even joking about it in forums, which piqued DiMaggio's interest. The relationship turned into a friendly rivalry, with LockBitSupp utilising DiMaggio's LinkedIn photo as an avatar in forums. DiMaggio also mocked the gang by trying to extort them, which raised concerns among several cybercriminals. 

During this time, DiMaggio noticed that LockBitSupp went missing for roughly 12 days. Upon returning, LockBitSupp appeared agitated but continued to communicate with DiMaggio. At the same time, LockBit claimed responsibility for a cyberattack on a Chicago children's hospital, their second after targeting Toronto's SickKids. These activities frustrated DiMaggio so much that he nearly sent an angry mail to LockBitSupp, expressing his intention to pursue him. However, the researcher eventually decided against it.

After law authorities took down LockBit's website, DiMaggio focused on identifying LockBitSupp. An anonymous tip led him to a Yandex email address, which let him track down Dmitry Khoroshev. Unexpectedly, the police updated the seized LockBit website, declaring their intention to divulge the name of LockBitSupp, the administrator. 

At this point, DiMaggio, who had established a working connection with the FBI as a private business partner, contacted them to say that he had identified Khoroshev as LockBit's administrator. DiMaggio intended to prepare a report on his findings and asked the FBI for advice on whether he should postpone publishing it. He reasoned that if the FBI told him to wait, it would probably corroborate that he had identified the right person. However, the FBI recommended him to wait. 

As the Department of Justice prepared to divulge LockBitSupp's name, DiMaggio completed his report. Eventually, the DOJ appointed Dmitry Khoroshev as LockBit's head, allowing DiMaggio to reveal his own detailed findings. 

"This was my first time doxing somebody. And well, they released his name, I released everything else on this dude. I had where he lived, I had his phone numbers, current and previous," DiMaggio stated. "And boy, it was difficult to not just call this guy up on the phone, having his legitimate phone number prior to the indictment, just to see if I had the right guy, but I didn't.” 

DiMaggio sent Khoroshev a note telling him to call it quits from malicious activities. “LockBitSupp, you are a smart guy. You said it's not about the money anymore, and you want to have a million victims before you stop, but sometimes you need to know when to walk away. It is that time, my old friend," DiMaggio wrote. 

Since then, DiMaggio has not heard from Khoroshev. Despite the fact that nothing has happened, he has heard rumours that Khoroshev seeks payback.
Read more »
Subscribe to: Comments (Atom)