From Zero-Day to Day-Zero: How LockBitSupp Was Unmasked

Brian Krebs investigated the history of Khoroshev's darknet biography, his nicknames:

• 2012 — under the nickname Pin on forums Opensc and Antichat, he shared code for bypassing memory protection in Windows XP/7 and injecting malware into trusted processes.
• 2011–2016 — under NeroWolfe on Russian forums (Verified, Exploit, etc.), he sold custom malware, botnets, SpyEye/ZeuS panels, loaders, worms, and browser exploits. Specialized in C/C++, anti-detection techniques, and encryption.
• 2013 — offered a $5,000 loader capable of bypassing Windows XP/7 protection.
• 2013 — discussed the ethics and future growth of ransomware on Exploit.

NeroWolfe activity ceased around 2016 — possibly indicating he went dark or changed identities.

Linkage between identifiers:

• Email sitedev5@yandex.ru (mailto:sitedev5@yandex.ru) (listed in U.S. sanctions) was used to register tkaner.com(Khoroshev’s legitimate Voronezh business).
• The same email and phone number (+7-952-102-02-20) appear in older domains (e.g., stairwell.ru) and NeroWolfe accounts.
• Password 225948 from stairwell.ru was reused across multiple NeroWolfe accounts (2011–2015).
• ICQ 669316 (Pin/NeroWolfe) → d.horoshev@gmail.com (mailto:d.horoshev@gmail.com) → Voronezh.

Much of the classified evidence remains sealed (grand jury materials, intercepted communications, seized LockBit servers from Operation Cronos in February 2024, blockchain analysis, witness statements, ISP/telecom data, etc.) — standard practice until trial or extradition.

---

2. Khoroshev’s Mercedes: the critical slip that exposed the trail

Dmitry Khoroshev owned (but concealed ownership of) a Mercedes-Benz GLE 350d 4MATIC, VIN WDC2923241A144235, Russian license plate О570ЕТ136.The same email sitedev5@yandex[.]ru was used for domain registrations, including his legitimate company LLC TKANER (ООО "ТКАНЕР" INN 3662295721).

In June 2023, under the nickname sitedev5 (Voronezh) on an automotive forum, he posted: He also uploaded a photo clearly showing the license plate.

The vehicle was never registered in Khoroshev’s name personally. It was registered to Voronezh-based LLC Epokha (ООО «Эпоха» INN 3662137891). No public documents directly link Khoroshev to this legal entity — an ownership structure that could potentially reduce transparency about the vehicle’s primary user.

This discrepancy is observable across multiple OSINT lookup tools (e.g., VIN-based incident aggregators telegram-bot @Sherlock_GangIntel_bot VIN search: WDC2923241A144235) may indicate an attempt to obscure the identity of the actual driver.

Photos of the vehicle (both current plate О570ЕТ136 and previous Х313ОК799) were almost completely scrubbed from the Russian license-plate lookup service Nomerogram.ru — an uncommon pattern for such services.

Searching О570ЕТ136 returned images of a completely different car. At the time, the plate search returned images of an unrelated Nissan — suggesting the Mercedes entry had been suppressed.

 

 

Update (February 12, 2026): Strangely, the old Mercedes photos reappeared on Nomerogram. Previously the plate returned only the Nissan, now the Mercedes images are back. Archived queries and screenshots were preserved showing the Mercedes entry temporarily absent and later restored, suggesting an unusual change in public visibility over time.

The disappearance was not only anecdotal — the service produced different results for the same plate across time.
⚠️ Archived query: (Mercedes absent)  https://www.nomerogram.ru/n/o517et136-1253a4145/
⚠️ Updated query: (Mercedes restored)  https://www.nomerogram.ru/n/o570et136-1369f5b53/ 
Screenshots were preserved for verification.

 

In December 2021 the vehicle was transferred (“sold”) to Voronezh LLC «Epokha» — again with no visible direct link to Khoroshev. Classic an ownership transfer structure that provides limited public visibility.

Cross-referencing multiple publicly circulating datasets and OSINT sources and sources reveals an artificial intermediate owner: Gazprombank Autoleasing (December 9, 2021 – December 8, 2022), plus gaps in registration records (changed vehicle registration certificate) between July 2020 and December 2021.

This pattern may indicate the use of intermediary entities that reduce transparency and present the transfer as an independent transaction.

Traffic fine records from June 2019 – June 2020 show consistent geographic patterns matching Dementyev’s life:

• Moscow and Khimki
• Kaluga region
• Kievskoe Highway

These match Dementyev’s residence (Moscow/Khimki), family locations (parents, brother in Lyudinovo, Kaluga region), and repeat on another vehicle linked to him — BMW X6 plate К102СХ799 (March 2023 – January 2026).

Similar falsification of accident data appears: September 22, 2019 crash on the Mercedes lists an individual who could not be reliably identified in public records AYVEZYAN ARSEN ARAMANOVICH 01-01-1970 (АЙВЕЗЯН АРСЕН АРАМАНОВИЧ).

Analysis of 162 fines shows a clear profile:

• Home base near Kievskoe Highway
• Regular trips along Kievskoe Highway
• Infrequent but systematic long-distance travel to/from Kaluga region (1–3 times per month)
• Primarily highway usage, almost no Moscow city camera hits

Most plausible explanation: secondary country house vehicle used for family visits (Kaluga, Lyudinovo area — parents, siblings).

This is one of the strongest and most visually clear arguments in the entire investigation.

 

I collected all available traffic fines associated with the vehicle used by Dementyev, as well as all public LockBitSupp messages, and compared them chronologically.

---

Data Sources

• Data on traffic fines and recorded vehicle detections (license plate K102CX799) was obtained from commercially available extended reports (Autocode, AvInfo, etc.), which aggregate information from public and official sources (example: avtocod.ru).

• Public LockBitSupp posts from the XSS forum (xss[.]pro) — accounts LockBitSupp and LockBit.

• Public LockBitSupp posts from the ReHub forum (onion) — account LockBit.

• LockBitSupp messages from the Tox messenger (published in an interview with Tor Zirael — file petuh.txt).

• Public messages from the Telegram account Fox William Mulder (ID 7262708360), which was widely considered to be the official LockBitSupp channel (now deleted).

• Analysis of 162 fines
• add: there is also a free and fully legal source for obtaining traffic fines — the mobile application “ШТРАФЫ ГИБДД” (in Russian, available in the Play Store or App Store with the region set to Russia or Kazakhstan — but it works from any IP address). Search icense plate K102CX799 CTC 9946414542. A virtual Android environment can be used as well: https://cloud.geny.io/l

All original materials, tables, and raw datasets (in redacted form, without publishing personal data) were previously referenced in my earlier article.

In order to reduce potential legal risks, I do not publish the full dataset openly. However, I am prepared to provide it to journalists and researchers for independent verification upon request.

---

Overall Timeline

The overall graphical timeline makes it possible to clearly see the density of events and the periods where activity is absent.

I consolidated all this data into a single timeline table 👉 Download, with traffic fines highlighted in yellow for clarity.

---

Key Observation

The main fact is the following:

LockBitSupp publications and recorded vehicle travel events (through fines and traffic cameras) almost never coincide in time over a three-year period (2023–2025).

It is important to clarify:

• Traffic fines do not identify the driver directly, but rather reflect vehicle activity associated with travel.

• Posts reflect the operator’s online activity (forums, Tor, Tox).

The picture looks like this:

• When travel is recorded (fine “clusters”) → LockBitSupp demonstrates prolonged silence.

• When series of posts appear → the vehicle does not appear on road cameras during that period.

This is not a single episode, but a repeated alternation structure.

---

Why This Deserves Attention

Both signals are relatively rare:

• Fines: only 66 unique days over 3 years (~48 trips).

• LockBitSupp posts: about 87 active days over the same period.

Out of ~1095 days, only 5 days contain both events, and even in those cases they are separated in time (typically by 6–12 hours).

 

The only “close” example is 03.02.2025:

Fine at 15:33–15:34 → Tox message at 16:24.

Even here, the time gap increases after accounting for the Moscow time zone (UTC+3), and more likely reflects a mode switch: “travel → return → online activity.”

---

Examples of Clear Alternation Clusters

On December 6, 2025, a fine was recorded for Dementyev (LockBitSupp had not posted for three months before that — since September 18, 2025). Then starting the next day, December 7, LockBitSupp posted messages for several days in a row (December 7–8–9). But on the following day, December 10, a Dementyev trip was recorded again, and LockBitSupp fell silent for several days until December 16, 2025.

 

A similar example appears in the Telegram group: LockBitSupp had been silent for two months since August 18, 2024. Then on October 7, 2024, LockBitSupp became active and sent messages to the chat on October 7–8–9 and 11. But on the next day, October 12, the messages stopped and we see a fine (a trip) recorded for Dementyev, and there were no further LockBitSupp messages for several days until October 28, 2024.

 

Another example: August 19, 2023 — a fine; August 21–22 — messages; August 24 — a fine; August 25 — a message; August 26 — a fine; then August 27 — a message. Practically day by day, fines and messages alternate. When on the road — no posts. When at the computer — no fines are recorded.

 

On the same screenshot below: September 18, 2023 — a fine; September 19 — a message; September 20, 2023 — fines from 6 to 8 a.m., and by midnight only messages appear (September 20, 2023 at 23:12:00).

 

 

Such vivid sequential alternations are marked in 13 fragments (highlighted in the table), and simpler supporting patterns number several dozen.

This forms a repeating behavioral signature.

---

Forensic Metric: Alternation, Not Just Absence of Overlap

What matters here is not the minimal distance between “fine ↔ post,” but the sequential blocks:

silence → travel → messages → travel → silence → messages …

If these were completely independent signals, random overlaps should occur more often.

Instead, there is near-complete mutual exclusion over a long interval.

---

Control Comparison

When applying the same method to other random vehicles, such “ideal” alternation does not appear: events overlap far more chaotically.

This makes the observed pattern statistically unusual.

---

Conclusion of This Section

The fines and vehicle detections associated with Dementyev do not simply “fail to overlap” with LockBitSupp posts — they form a stable alternation pattern that may be compatible with the hypothesis of a single operator.

This behavioral pattern warrants further examination and independent verification.

 

Imagine this: you are a person with a $10 million bounty on your head.
You are hiding better than anyone in the world of cybercrime.
You have no face on social media, no old photos, no leaks. No traces.
You are the god of ransomware — LockBitSupp.

 

And then a message arrives on Telegram:

“Hello, Evgeny Petrovich. This is part of your dossier. When would it be convenient to discuss?”

 

And you realize: that’s it. The end.

 

This message... it came from me, an anonymous investigator who spent half a year tearing apart the Conti group, published photos of 80+ members, and then reached LockBit.

 

Here is the rest of the story.

On August 1, 2025, I sent LBS on Tox a photo of Evgeny Dementyev with the words:
“By any chance, is your name Evgeny?)”
(this was said with uncertainty; LockBitSupp did not reply and blocked my contact).

On January 5, 2026, I wrote directly to Evgeny Dementyev on Telegram from an anonymous account not connected to GangExposed. I sent part of his dossier (I will attach the full version to this article) with the words:

“Hello, Evgeny Petrovich. This is part of your dossier, I can send the full version. I also have critically important information for you that I would like to share. When would it be convenient for you to discuss?”

Dementyev read it but did not respond. He blocked me, removed his profile picture (no face) from his account, and completely close incoming messages (except for Telegram Premium).

Such a reaction is a sign of concern.

It was necessary to push him toward actions, toward mistakes.

On January 10, 2026, I wrote in a public chat: “In the next few days I’ll drop an interesting topic about LockBit.” It worked!

The next day, January 11, 2026, an official Telegram account was registered: LockBitSupp Innokentii Petelkin @PetelkinKesha (ID: 8293550563) with the LockBit logo as the avatar.

I verified @PetelkinKesha as an authentic LBS account through his Tox. Independently of me, Tor admin Zireael and another source confirmed this via the LockBit panel Tox and the ReHub forum.

Then he “found” my Telegram channel https://t.me/GangExposed_int and joined my group.

 

He joined my Telegram group and publicly announced a $22 million “bug bounty” for information leading to the identification of the alleged leaker — on the condition that the information be delivered exclusively to him and not shared with U.S. Rewards for Justice or disclosed publicly.

 

Looks like I just wiped out the most expensive bug bounty in ransomware history.

 

Do you remember how, in one of my investigations into Dmitry Khoroshev, I pointed out a very strange episode in his everyday personal history?

The evidence forms a 13-link chain, each element reinforcing the previous:

1. Khoroshev — long-time malware developer (Pin → NeroWolfe → …)
2. Concealed Mercedes not registered to him
3. 2023 crash — owner data falsified
4. Photos scrubbed from Nomerogram (later restored)
5. Sold immediately after May 2024 U.S. charges
6. Vehicle originated from Dementyev’s Moscow LLC “NPG”
7. Earlier Mercedes fines match Dementyev’s geography
8. Transfer hidden via fake intermediaries
9. BMW X6 parked at Dementyev’s owned spot in Khimki
10. BMW fines — rare long trips to Kaluga region, likely country residence
11. Three-year perfect alternation between fines and LockBitSupp posts
12. Zero time overlap; 20+ alternation clusters; statistically near-impossible coincidence
13. January 2026: dossier sent to Dementyev → subsequent public response → new account + $22M bounty

Dmitry Khoroshev — highly skilled technical specialist, likely early-stage administrator/developer.
Evgeny Dementyev may represent one of the strongest observable candidates for the LockBitSupp operator role, based on the behavioral correlation presented.

LockBitSupp’s operational anonymity may be weakening due to observable behavioral traces.

---

15. Next steps: roadmap for law enforcement and researchers

• Check other vehicles owned/used by Dementyev (including possible Mercedes sedan seen in Telegram avatar)
• Verify parking spots 451–453 (Khimki, Moskovskaya 21) and Timiryazevskaya 1 via residents’ chats
• Locate current primary residence (likely cottage on Kievskoe Highway)
• Cross-reference Khoroshev’s May 2021 Moscow trip with LockBitSupp debut (possible handover)
• Reconstruct full trip patterns (days absent, birthdays, etc.) for predictive analysis
• Identify other LockBit members and Dementyev’s trusted circle
• Trace shell companies, contacts, financial flows
• Forum accounts (putinkrab etc.), stylometry vs. older nicknames
• Photos from documents, biography, China trip (Shanghai), billing, cameras, assets, fake IDs
• Past carding activity, cover stories, enemies, competitors

---

16. Thanks to everyone fighting LockBit — now it’s your turn

Gratitude to the researchers, journalists, and agencies who have systematically eroded LockBit for years:

• Jon DiMaggio (Analyst1) - Ransomware Diaries
• Allan Liska (Recorded Future)
• Arda Büyükkaya (Trend Micro)
• Michael Gillespie (Emsisoft / No More Ransom)
• Alon Gal (Hudson Rock)
• Valery Rieß-Marchive (LeMagIT)
• Brian Krebs (krebsonsecurity.com)
• Baptiste Robert (special thanks for the photo of Khoroshev’s Mercedes)
• XOXO (from Prague)
• BleepingComputer (Lawrence Abrams, Bill Toulas, team)
• WIRED, Computer Weekly, The Register (Jessica Lyons), Bloomberg (Jake Bleiberg), etc.
• Chainalysis, Recorded Future, Trend Micro, Secureworks, Prodaft, Flashpoint, Arctic Wolf, MalwareHunterTeam, Sophos, Emsisoft, Hudson Rock, Group-IB, BI.ZONE, Kaspersky
• Law enforcement: NCA, FBI, Europol, Eurojust, BKA, Australian Federal Police, etc. — and Operation Cronos teams

Their persistent work turned LockBit from “untouchable” to a laughingstock in the cybercrime world.

I need your support, help, and resources to work on exposing the next ransomware group — Qilin, DragonForce