Skip links

Ukrainian police arrest father and son in suspected LockBit affiliate double act

Today’s edition of the week-long LockBit leaks reveals a father-son duo was apprehended in Ukraine as part of the series of takedown-related arrests this week.

The National Police of Ukraine (NPU) confirmed the relationship of the pair after they were arrested at the request of the French government. 

When the takedown was officially announced on Tuesday, February 20, it was made clear that two arrests had been made in Ukraine and Poland, but we now know the single arrest in Ukraine was actually of two affiliates.

According to the NPU’s statement, the father-son duo was responsible for attacks against individuals, businesses, public sector institutions, and healthcare facilities in France specifically.

The NPU also pegged LockBit’s total number of attacks at more than 3,000 over the course of its four-and-a-half years in operation – an increase on the US Department of Justice’s (DOJ) estimate of more than 2,000.

Given the large number of attacks, it’s also likely that the pair were responsible for attacks in other jurisdictions too.

The identities of the affiliates haven’t been revealed, but the seizures were made following a house search in Ternopil, a city in western Ukraine.

In a post published to the LockBit website, now hijacked by law enforcement, Operation Cronos representatives said:

A little more information about that arrest made in Poland has also now been revealed. Polish authorities, along with French police officers and a Europol analyst, located a 38-year-old man in Warsaw this week who was later charged with criminal offenses.

Again, the identity of the man has been kept secret because, as Operation Cronos explained in a LockBit website post, the French legal framework upholds a greater degree of secrecy in its investigations.

However, the same post referenced an arrest warrant issued on Tuesday for a Polish man linked to the money laundering of 30 ransom payments, and that he was now in cuffs. 

Polish police also published a video of the 38-year-old’s arrest, showing glimpses of the man’s home, car, and plethora of devices.

The instructive judges of the Paris Judicial Court have also issued an arrest warrant for a Russian LockBit affiliate, but authorities haven’t been able to make the arrest yet.

The three arrests made this week bring the total number of people suspected to be LockBit affiliates in handcuffs to five.

Both Mikhail Vasiliev and Ruslan Magomedovich Astamirov were previously taken in by US authorities in 2022 and 2023 respectively, and are currently awaiting trial.

Vasiliev, who has dual Canadian and Russian citizenship, faces up to five years in prison and a fine of up to $250,000 or twice the monetary losses his actions caused, whichever is greater.

Astamirov was only 20 years old when he was arrested following his attendance at a voluntary interview in Arizona last year. 

He was linked to a number of online accounts, including a cryptocurrency address that received 80 percent of a known ransomware payment. 

That’s in the region of a typical LockBit affiliate’s cut of a ransomware score, which suggests he was the one responsible for that attack on an unidentified organization. Although, the Feds did say the attack was conducted around April 2023.

The US has also indicted two other Russian nationals this week, Artur Sungatov and Ivan Kondratyev, alleged LockBit members but given their Russian location, it is unlikely to make an arrest unless they step into a country that has an extradition agreement with the US.

The same goes for Mikhail Pavlovich Matveev who was similarly indicted in May 2023, facing charges that could land him more than 20 years in a US prison, should the feds ever get their hands on him.

Snitches get riches

This week also saw the US announce a lofty cash prize for anyone who could offer helpful information that could help bring LockBit’s members to justice.

The US State Department will offer $10 million to anyone who can provide it with information leading to the identification or location of LockBit’s leadership team.

A further $5 million is also up for grabs to anyone with information that leads to the arrest and/or conviction of any LockBit member in any country, regardless of rank.

Any information can be communicated to the FBI via email or via its Telegram channel, which is also trolling the now-dismantled group beyond what the NCA has already done with its website, by taking on the moniker of LockBit’s public spokesperson, LockBitSupp.

The Telegram account’s display name is “FBI Supp” – the latest effort from authorities to make a joke of the criminals. The dedicated email address for tips is also, carrying on the joke.

The $15 million reward announcement follows an almost identical one made last week by the US State Department, this time putting a bounty on information about the ALPHV/BlackCat group.

Feds tried to bring down the group in December 2023, but the criminals regained control over the course of a few days – a rarity in law enforcement takedown operations. ®