U.S. Bans Crypto Addresses Tied to LockBit Ransomware Group From Financial System

LockBit hit more than 2,000 different victims, who forked out north of $120 million in payments, according to a DOJ press release.

AccessTimeIconFeb 20, 2024 at 4:57 p.m. UTC
Updated Mar 8, 2024 at 9:48 p.m. UTC
  • The Office of Foreign Asset Control named two Russian nationals and identified 10 bitcoin and ether addresses after an international operation gained control of the organization's website.
  • Law enforcement agencies said they will distribute decryption keys to victims.

The U.S. Treasury Department's sanctions watchdog added nearly a dozen bitcoin and ether addresses to its global blacklist, alleging they were used by ransomware purveyors.

The Office of Foreign Asset Control (OFAC) named Artur Sungatov and Ivan Kondratyev, two Russian nationals indicted on charges tied to the deployment of ransomware, and identified 10 bitcoin and ether addresses (none of which containing any funds as of press time), in a statement on Tuesday, banning U.S. entities from providing any kind of financial services to the two. According to OFAC and the U.S. Department of Justice, they are part of the LockBit ransomware group, one of the world's most prolific ransomware distributors accused of stealing more than $120 million from over 2,000 victims in the past few years.

Ransomware attacks let malicious actors lock victims out of their computers and networks unless they pay a fee, often in cryptocurrency.

An international effort by the DOJ, Europol, the U.K. National Crime Agency and agencies in several other countries seized LockBit's website and various pages earlier this week in an effort dubbed Operation Cronos. The law enforcement agencies announced they would be distributing decryption keys to victims, allowing them to regain access to their devices.

According to a press release from Europol, more than 200 cryptocurrency accounts tied to LockBit have been frozen, while authorities in the U.S., U.K. and EU have all seized various parts of the ransomware group's infrastructure.

Some of the addresses listed by OFAC on Tuesday were deposit addresses for KuCoin, Coinspaid and Binance, according to data from Arkham Intelligence.

LockBit's victims included municipal entities and private companies around the world.

"The LockBit ransomware variant, like other major ransomware variants, operates in the 'ransomware-as-a-service' (RaaS) model, in which administrators, also called developers, design the ransomware, recruit other members — called affiliates — to deploy it, and maintain an online software dashboard called a 'control panel' to provide the affiliates with the tools necessary to deploy LockBit," the DOJ press release said.

Edited by Sheldon Reback.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Nikhilesh De

Nikhilesh De is CoinDesk's managing editor for global policy and regulation. He owns marginal amounts of bitcoin and ether.