For years, the identity of the leader of the notorious ransomware gang known as LockBit has remained a mystery. Known as LockBitSupp, the person often communicated in online forums but took pains to conceal his real name and location.

Days after taking down his organisation, days after taking down his organisation, a coalition that includes the UK National Crime Agency and FBI said it knows where LockBitSupp lives, how much he is worth, and claimed he has “engaged with law enforcement”.

The comments, which did not disclose LockBitSupp’s alleged name, had more in common with trolling tactics used by hackers than typically dry statements by law enforcement. In a mocking post Friday on the ransomware’s commandeered darkweb site, the coalition said he drives a Mercedes and that parts for it “may be hard to source”.

That may have been a veiled reference that he lives in Russia, given speculation that LockBitSupp is a Russian national. Mercedes-Benz Group AG pulled out of the country following the invasion of Ukraine.

The development comes after investigators from 11 countries on Tuesday seized control of LockBit’s infrastructure, arrested two members and indicted two Russian hackers allegedly affiliated with the gang. The next day, the US State Department issued a bounty of as much as US$10mil for information leading to the identification of any of the group’s leaders.

It was a reversal of fortune after years of LockBit taunting law enforcement agencies. “I pay exactly 1 million dollars and not a cent less to someone who simply writes my name and surname to me,” LockBitSupp said in April 2022 in an online hacking forum.

LockBitSupp didn’t respond to messages seeking comment on the law enforcement claims about his identity.

Jon DiMaggio, chief security strategist at Analyst1, has researched LockBit and talked to many of its leaders online, including LockBitSupp. “He’s really good at running that operation as a business, which is also why it’s done well, DiMaggio said in a recent interview. “It’s rarely personal.”

LockBitSupp was likely Russian, based on his writing style, the slang he uses and his association with other known Russian hackers, according to DiMaggio. He speculated that the hacker didn’t live in the country because he had publicly criticised Russia’s main intelligence agency, the Federal Security Service, or FSB.

LockBit is the world’s most prolific ransomware gang. Since January 2020, it has targeted more than 2,000 victims, received US$144mil in ransom payments, and made demands totaling hundreds of millions of dollars, according to US authorities.

It gained notoriety after waging disruptive attacks on high profile companies, including the Industrial & Commercial Bank of China Ltd, the UK’s Royal Mail, the financial software firm ION Trading UK and Boeing Co.

LockBit stole internal data and encrypted its victims’ computers, making them unusable. It would then demand payment in exchange for unlocking the computers and not publishing the stolen data. The group’s leaders also pioneered ransomware as a service, using a network of affiliate hackers who carried out attacks using LockBit’s malicious software and infrastructure.

Its takedown was widely viewed as a devastating blow to the criminals. However, the gang’s representatives – several of whom are believed to be at large in Russia and unlikely to be extradited to face charges – have since vowed to rebuild their criminal enterprise, according to online messages reviewed by Bloomberg News.

National Crime Agency Director General Graeme Biggar said in a statement this week that the law enforcement action had damaged LockBit’s capability and also its credibility among the criminal hacking community.

“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise,” Biggar said. “However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.” – Bloomberg