JustPaste.it

LockBit Investigation: Dmitry Khoroshev

LockBit Investigation: Dmitry Khoroshev

Author: GangExposed
Publication date: July 30, 2025 (Translated into English on January 29, 2026)

🇷🇺 Версия на русском

 

c7bcd375a360863a20d779510f562c40.jpg

Introduction: Why This Investigation Matters

In February 2024, the FBI and the UK National Crime Agency publicly accused Dmitry Khoroshev, a resident of Voronezh, Russia, of allegedly being LockBitSupp — the leader of one of the most notorious cybercriminal groups of the modern era.

This announcement caused significant resonance within the professional cybersecurity and OSINT communities.

I conducted an independent OSINT investigation based on unique and previously unpublished data, including:

  • recovered messages from Khoroshev’s Telegram account,

  • airline ticket purchase records,

  • hotel accommodation data,

  • real estate transaction records,

  • employment history and salary information of all family members.

The results of this analysis not only contradict the official version — they render it logically, factually, and practically untenable.

Update and Addendum — January 29, 2026

After analyzing all public research related to LockBit, as well as newly discovered evidence, I can now state with full confidence that Dmitry Khoroshev was directly connected to the LockBit group and acted as a technical operator.

Looking far ahead, I have also managed to identify the real leader of LockBit — LockBitSupp, establish his identity, and collect supporting evidence. This will be disclosed in my next article.

 

For now, let us return to Dmitry Khoroshev.

1. Key Findings: What I Discovered

1.1. Real Residential Addresses — No Staging or Cover Legend

Residential and delivery addresses:

  • Voronezh, Kaliningradskaya St., 108–61

  • Voronezh, Shishkova St., 72/5–165

  • Voronezh, Pobedy Blvd., 50–89

  • Voronezh, Antonova-Ovseenko St., 31 (pickup point)

  • Voronezh, Mazlumova St., 25a (office building)

  • bbafdb59878a4f34fe2f2f683593fc60.png8e97c61729bd2220dcf9e6fa287da26b.png

Housing characteristics

All locations are:

  • standard Soviet-era panel apartment blocks or ordinary modern buildings,

  • no security, no gated territory, no barriers, no concierge,

  • no underground parking.

There is not a single attempt to conceal the real place of residence.

All purchases — food, household appliances, baby products, electronics — are ordered to these same addresses using the phone numbers of Dmitry and his wife.

This is not a fabricated legend — it is ordinary daily life.

1.2. Consumption Pattern and Cost-Saving Behavior

Purchase details

  • Average order value: 500–2,000 RUB (≈ $5–20)

  • Large one-time purchases (up to 120,000 RUB ≈ $1,200) — household appliances only

  • No luxury brands

  • No premium electronics

  • No elite consumer goods

Travel and hotels

  • Airline tickets exclusively economy class, cheapest fare categories (V, X, O, U, B, E)

  • Hotels: mid-range, three-star hotels (Sochi, Crimea)

Single exception in five years:

  • Mövenpick Moscow Taganskaya — 14,000 RUB per night (≈ $140–155)
    A budget five-star hotel, isolated incident.

  • 748dcfc1fb0b229c8e00e57a07c928e9.png

Mining farm

  • Configuration: 6× RTX 3080 Ti + 6× RTX 3060

  • Estimated cost: ≈ $10,000 USD

Telegram correspondence shows:

  • constant discussions on how to save 2,000–3,000 RUB per year (≈ $20–30) on electricity,

  • concern that the mining farm might never break even,

  • communication style of a hobbyist miner counting every expense.

2. Financial and Asset Profile: No Signs of Wealth

2.1. Real Estate and Vehicles

  • Apartment 81.4 m² in a nine-story panel building

    • shared ownership with parents and brother

    • sold in 2024

  • Wife owned:

    • apartment 43.5 m²

    • small commercial property 80.4 m²

  • Land plots:

    • ordinary summer cottage land

    • not elite real estate

    • market value 500,000 – 1.5 million RUB (≈ $5,000–15,000)

  • Vehicles:

    • Mazda 6 (2017)

    • Geely Coolray (2023)

Both are mid-range cars — no luxury vehicles.

2.2. Financial Activity

LLC “VIPGEO”

  • 2022 revenue: 1.01 million RUB (≈ $10,000–11,000)

  • Net profit: 29,000 RUB (≈ $300)

  • Salary: 17,000 RUB/month (≈ $170–190)

Additional facts:

  • 9 arbitration court cases as defendant

  • Lost approximately 89% of cases

  • Total claims: ≈ 935,000 RUB (≈ $9,500–10,000)

  • 4 enforcement proceedings (including completed ones)

  • Total claims as of April 2025: ≈ 93,600 RUB (≈ $950–1,050)

  • Company liquidated for false registration data

  • Removed from the Russian business registry on May 19, 2025

3. Social and Family Context

  • Mother — kindergarten teacher

  • Father — welder / mechanic

  • Brother — convicted on drug-related charges

  • Wife — cashier at the “Magnit” grocery supermarket

All family members live in ordinary panel apartment buildings, with no indicators of elite consumption or hidden wealth.

4. Digital Footprint, Technical and Behavioral Analysis

  • Phone number: +7 952 102-02-20
    Used for:

    • deliveries

    • banking notifications

    • government services

    • household purchases

    • electronics and subscriptions

  • Telegram activity:

    • mining discussions

    • household purchases

    • constant focus on saving money

Important technical note

Digital trace analysis shows that Khoroshev is not simply an “IT specialist.”

His historical activity indicates:

  • deep involvement in malware development,

  • participation in underground forums,

  • strong knowledge of C/C++ and cryptography,

  • development and sale of malware between 2010–2016,

  • participation in discussions on bypassing Windows security mechanisms,

  • creation of tools for the cybercrime market.

After 2016:

  • underground activity sharply declines,

  • digital footprint becomes maximally domestic and transparent.

5. Comparative Analysis: Why the FBI Version Does Not Hold

5.1. Profile Mismatch

  • No signs of wealth
    No luxury real estate, no premium vehicles, no foreign travel, no offshore assets.

  • No attempt to hide daily life
    All addresses, deliveries, bookings are real and easily traceable.

  • No operational security behavior
    Open digital footprint, lack of basic OPSEC — completely inconsistent with the leader of a RaaS organization.

5.2. Alternative Explanations

  • Technical contractor or architect
    Khoroshev could have participated as a developer or consultant during early stages.

  • Front figure or decoy
    His digital footprint may have been used by the real LockBit leader to divert attention.

  • FBI analytical error
    U.S. authorities lack access to Russian domestic databases and household-level data, leading to conclusions based solely on surface-level digital indicators.

6. Unique Findings of This Investigation

  • None of the residential addresses meet even the minimum security level expected for someone allegedly controlling tens of millions of dollars.

  • All large purchases are purely domestic — not investment-related.

  • Mining farm is the maximum financial capacity observed — and even there:

    • constant cost-cutting,

    • configuration errors,

    • ROI discussions at the level of $20–30 per year.

  • Even Khoroshev’s brother lives better:

    • Audi A4 (2019)

    • mortgaged apartment

Dmitry himself remains a person with a technical underground past — but without any financial outcome from it.

7. Conclusion: Dmitry Khoroshev Is Not LockBitSupp

My analysis, based on unique and verifiable data, demonstrates:

  • Dmitry Khoroshev is not the leader of LockBit.

  • His finances, lifestyle, and behavioral patterns are fundamentally incompatible with the profile of a ransomware syndicate head.

The FBI version is incorrect.

However, considering his technical background and underground activity between 2010–2016, it is plausible that:

  • Khoroshev participated in the early technical development of LockBit,

  • acted as a developer, contractor, or consultant,

  • did not control finances, strategy, or organization leadership.

Most likely, he is a technical subcontractor whose digital traces were later used by the true organizer of LockBit.

8. Appendices and Supporting Materials

Available in archive and via link:

 

👉  https://justpaste.it/il812

 

Includes:

  • Dmitry Khoroshev dossier (earlier publication) 

  • Timeline and phone number analysis

  • Dossier of Alexander Khoroshev (brother)

  • Dossier of Ekaterina Kurdyumova-Khorosheva (wife)

  • Full order, call and delivery records

  • Photographs of all residential buildings and hotels

  • Airline and booking data

  • Family dossier

  • Recovered Telegram messages

  • Mining farm analytical report

  • VIPGEO company financial analysis

  • Real estate analysis

  • RAW OSINT datasets

Archive link — https://mega.nz/file/x8oHjSKQ#n30LTwM0OeLJr5AqklCCsl-e_yytbKCKkIbqzUJ5kHg

9. Recommendations for the Professional Community

  • Conduct OSINT investigations using real household and asset footprints, not digital coincidences alone.

  • Verify official accusations through financial and lifestyle consistency analysis.

  • Apply a comprehensive approach: digital traces must be correlated with offline life, biography, environment, and consumption behavior.

 

UPDATE

While analyzing the public messages of LockBitSupp, I managed to identify an additional small indirect piece of evidence.

Approximately at the same time when LockBitSupp was posting a message on the XSS forum, Dmitry Khoroshev received a speeding ticket.

Traffic Police Fine (GIBDD)

License plate: 0570ET136 Fine ID: 18810536230529097308

Date and time of violation: May 29, 2023 — 20:59

Status: paid Amount: 500 RUB (≈ $5) Violation: Speeding by 20–40 km/h

Offender details: Vehicle Registration Certificate (STS): 99 44 471536

Administrative Code Article: Article 12.9, Part 2

Description: Exceeding the established vehicle speed limit by more than 20 km/h but not more than 40 km/h.

Issuing authority: Center for Automated Traffic Enforcement (CAFAP)
Traffic Police Directorate of the Ministry of Internal Affairs for the Voronezh Region

Resolution number: 18810536230529097308

Resolution date: May 29, 2023

Forum Message

Date: 29.05.2023 20:12:00
User: LockBitSupp
Post #170

Guys, does anyone have a crack for this software:
https://www.tetrane.com/Reven-pricing.html ?

I specifically need the enterprise version.

Or maybe someone can help break their infrastructure and extract the source code?

Or help identify the owner of this software so I can send a couple of my Black friends to his home…

Note for Researchers

This method may potentially allow the discovery of additional corroborating evidence.

I will publish detailed data on Khoroshev’s vehicle fines in the appendix.

It is also possible to correlate flight dates and times with forum activity. I have already noticed similar chronological inconsistencies, which I will describe in a separate paper.

P.S. All materials are available for independent verification.
If you possess additional data or questions — contact me to continue the investigation.

Note

This investigation is based exclusively on:

  • open-source information,

  • verified digital traces,

  • official registries and documents.

No facts were fabricated or distorted.
All conclusions can be independently verified.

Contact information: