Recent findings have shed light on the possible financial scale of the LockBit ransomware group, suggesting they might have accumulated more than $1 billion in ransom payments over their four-year existence. The latest disclosures, posted on LockBit’s blog now managed by Operation Cronos, offer insights into the group’s financial operations. Analysis of 30,000 cryptocurrency addresses obtained after seizing LockBit’s systems revealed holdings totaling about £100 million ($126.6 million), with a significant portion, approximately £90 million ($114 million), still untouched. Typically, LockBit takes a cut of around 20 percent from the ransom fee, while the rest goes to the affiliate who conducted the attack. However, experts believe that the actual amount extorted from victims could be much higher, potentially reaching hundreds of millions of dollars, based on assessments from the South West Regional Organised Crime Unit and Chainalysis.
Although the analysis only covers an 18-month period from July 2022 to February 2024, LockBit operated for roughly four and a half years before being shut down. Considering the current average ransom demand of $1.5 million, the total extorted amount could indeed be in the billions. While the exact percentage of ransomware victims who comply with payment demands varies, LockBit’s impact on victims globally is significant, with over 2,000 confirmed attacks reported. This substantial figure underscores LockBit’s financial success, surpassing previous estimates.
Authorities, led by the UK’s National Crime Agency (NCA) with support from the South West Regional Organised Crime Unit and Chainalysis, are continuing to track and monitor thousands of cryptocurrency addresses associated with LockBit. Additionally, efforts are underway to restrict access to exposed exchange accounts, with significant amounts of crypto assets already seized.
The exposure of LockBit’s financial operations marks the culmination of a week-long effort by Operation Cronos, which seized control of LockBit’s leak site earlier in the week. The transformation of the once secretive operation into a platform for exposés has garnered attention from the cybersecurity community, highlighting concerted efforts to dismantle one of the most prolific ransomware groups to date.