JustPaste.it

Deanon of the LockBit Leader

De-anonymization of LockBitSupp: Evgeny Dementyev as a potential leader of the group

 

UPDATE as of 15.02.2026.
I have added updated data to the timeline table — the exact timestamps of all messages (not rounded to 00:00), included an additional source — LockBitSupp’s posts from the ReHab forum, and added references to the sources. I also updated the screenshots accordingly to match the new data.

In addition, I added an analytical section and a description of the conclusions. The result has become even more precise.

 

In July 2025, my research focus shifted to the LockBit ransomware group, specifically its leader LockBitSupp, who has been publicly identified by the FBI as Dmitry Khoroshev. However, my analysis indicates that he is not the actual leader of the group.

Initial Lead

Dmitry Khoroshev was associated with a Mercedes GLE, license plate о517ет136, VIN: WDC2923241A144235

Drive2 link

fb817a200d25a584a29b09afbede5a5c.jpg

This vehicle is officially not registered to Khoroshev, but to the company LLC “NPG” (INN 9717048612).

 

The CEO and owner of this company is Evgeny Petrovich Dementyev (born 21.07.1987).

7318c7f9dc1229a185b52236c43704a4.png

Factors Worth Noting

  • In 2018–2019, Dementyev took out a credit of approximately 1 million rubles (~$10.000).

  • After 2020, a sharp increase in expenses was observed, including numerous high-value purchases at TSUM (see attached materials).

  • The company has an annual revenue just under 1 billion rubles (~$10 million USD).

  • Lifestyle: private, minimal public activity.

  • Does not leave the territory of the Russian Federation.

Second Vehicle

Dementyev also uses a BMW X6 XDRIVE40I, 2020, license plate K102CX799, which is also registered to LLC NPG.

f4c4704955856bb758896f7eba495fe3.png8f7df01ff09789a58db9badd823e1dfd.png9f54aa86b242b6866e2907c554ab9317.png

Data Collected

I gathered all available traffic fines associated with this vehicle and all public messages of LockBitSupp, and analyzed them chronologically.

Sources:

  • Traffic fines of Dementyev’s BMW K102CX799 — publicly available through services like Autocode (extended report https://avtocod.ru ), AvInfo (extended report), etc. (or https://probiv[.]space/). 

  • Public posts of LockBitSupp on the XSS forum ( https://xss[.]pro accounts: LockBitSupp and LockBit)

  • Public posts of LockBitSupp on the ReHub forum (http://rehubg7wpn5vuwttbzqrzm5epq6ta5mqm6cbfpn7wtukaskzte3ehcyd[.]onion account: LockBit)

  • Messages from LockBitSupp’s Tox messenger (published in an interview by Tor Zirael – file petuh.txt)

  • Public posts of Telegram account Fox William Mulder, ID 7262708360 (official LockBitSupp account, now deleted)

All files are attached to the article.

Timeline Analysis

The overall graphical timeline looks as follows:

5933bd1c340c2460a88a8640d3171973.png

 

I consolidated all this data into a single timeline table 👉 Download, with traffic fines highlighted in yellow for clarity.

The observed pattern allows a high-confidence link between Evgeny Dementyev and the LockBitSupp account.

Examples

Screenshots highlight key points in red. The content of messages is irrelevant — only the dates and metadata were analyzed.

 

4c60bea015f4ce5b7d13a13f733ffd16.png

b1bcacef1749d79f8cb1ededd3474906.png

0469b569898d7302c0fbbd390bae9b8e.png

fa503982ac009740e795c68984eba4d8.png

6ab7d1c4d3f3da157734802fa3b7ec17.png

e41f0771412d65081a9f3e89a783c700.png

 

Note: You can collect more precise data and replicate the analysis independently — all sources are open, links provided.

 

This discovery is the result of several days (and even weeks) of meticulous work.
I plan to describe the methodology in a separate article or an interview.