0:04 June 2024, US Federal Reserve. 33
0:06 terabytes of America's banking secrets
0:08 just vanished. The ransom note is on
0:11 every screen and has one message. Fire
0:13 your negotiator.
0:17 $50,000 is insulting. That crab, its
0:19 lockbit signature, the world's deadliest
0:22 ransomware. Behind it sits one man,
0:25 Dimmitri Korv. with 2,000 companies
0:29 across 120 countries, Boeing, hospitals,
0:33 banks, even the FBI itself. More than
0:36 $100 million in counting. Here's what's
0:39 insane. Police know exactly who he is.
0:41 They've seized his servers, arrested his
0:44 gang, and put a $10 million bounty on
0:47 his head. Right now, as you watch this,
0:49 Dimmitri controls 40% of all ransomware
0:52 attacks worldwide. He built crime like
0:55 McDonald's built burgers as a franchise.
0:57 Hackers log in, pick a target, split the
1:00 profits. But how does one man control
1:02 half of the hacks on the internet? And
1:09 Autumn 2019. Voron, Russia. A
1:12 26-year-old programmer sits in a cramped
1:14 apartment, fingers flying across a
1:17 keyboard. By day, he's Dmitri Koresev.
1:20 online. He's lock bits up, a faceless
1:23 alias on Russian hacker forums. But
1:25 there's something else he is that nobody
1:27 knows yet. Something that will explain
1:30 everything about how he thinks, how he
1:31 operates, and why traditional law
1:33 enforcement will never catch him using
1:35 conventional methods, surrounded by
1:37 empty energy drink cans and glowing
1:40 screens of code. Dimmitri isn't plotting
1:43 a single bank heist or a one-off virus.
1:45 His vision is bigger. He's about to flip
1:48 the hacking world on its head. Instead
1:50 of running with a traditional gang,
1:51 he'll be the godfather of an army of
1:54 freelancers. In that dim room, Dimmitri
1:57 pieces together a new kind of ransomware
2:00 as a service platform. The concept he
2:02 provides the sophisticated malware and
2:05 infrastructure. Other criminals,
2:07 affiliates, do the dirty work of
2:10 breaking into targets. When an affiliate
2:12 snags a victim and a ransom is paid,
2:15 Dimmitri takes a cut off the top. Not a
2:19 crew, a franchise, not a hacker, a CEO
2:22 of cyber crime. But why would hardened
2:24 criminals trust a 26-year-old they've
2:27 never met? The answer lies in a single
2:30 line of code, Dmitri wrote. A fail safe
2:32 that would later save his empire when
2:35 everything seemed lost. In a matter of
2:38 months, his creation goes live on the
2:41 dark web. It's called Lockbit Bit. The
2:43 branding is sleek by underworld
2:45 standards, a secret website where
2:47 affiliates can log in, generate custom
2:49 ransomware payloads with point-and-click
2:51 ease, then track their victims on a
2:54 dashboard. There's even customer support
2:57 of sorts for negotiation, and a public
2:59 leak site that names and shames victims
3:02 who don't pay by publishing stolen data.
3:04 Each victim's name on the list comes
3:07 with a ticking countdown. Pay up or your
3:09 secrets go public. For hackers looking
3:12 to make a quick buck, it's a gold rush.
3:15 Dimmitri offers an attractive deal. 80%
3:17 of each ransom goes to the affiliate.
3:20 20% flows back to Lockbit's vault. It's
3:22 crime as a service. Highly profitable
3:26 and brazenly efficient. By 2021, the
3:29 Lockbit franchise explodes. Version 2.0
3:31 of the malware is even more potent. And
3:33 word spreads in every dark corner of the
3:35 internet. If you want to hold a
3:37 company's data hostage, Lockbit is the
3:40 tool of choice. That summer, Lockbit
3:41 makes headlines by hitting one of the
3:43 world's biggest tech consultancies,
3:45 Accenture, leaking thousands of
3:48 documents and demanding $50 million.
3:51 Cyber security experts scramble. This
3:53 upstart ransomware is running circles
3:56 around corporate defenses. With each
3:58 strike, Dimmitri's reputation in
4:00 underground circles grows. He's known
4:03 only by his alias, but affiliates praise
4:05 how professional the operation is.
4:08 Updates roll out like software releases.
4:10 There's even a bug bounty program.
4:14 Lockbit 3.0 launches in 2022 with an
4:16 invitation for hackers to find flaws in
4:18 the malware, paying rewards up to $1
4:21 million, a twisted parody of Silicon
4:24 Valley innovation. What nobody realizes
4:26 is that Dmitri is deliberately leaving
4:28 one specific bug unfixed. a bug he
4:30 discovered himself. A bug that would
4:33 later become his insurance policy.
4:36 Lockbit's numbers are staggering. By
4:39 late 2023, it's estimated to be behind
4:42 nearly 40% of all ransomware attacks
4:44 worldwide. Dimmitri's ransomware has
4:47 devoured over 2,000 victims in at least
4:50 120 countries, from small businesses to
4:53 giant multinationals and extracted more
4:56 than $100 million in ransom payments.
4:58 The group's leak site reads like a hall
5:00 of shame for global corporations,
5:02 hospitals, banks, airlines, government
5:06 agencies. Nothing is off limits. Every
5:08 week, another household name company
5:10 finds its data locked and a lockbit
5:13 timer counting down. And all the while,
5:15 the identity of Lockpit's mastermind
5:18 remains a mystery. Dimmitri sits quietly
5:20 behind his many screens, watching his
5:22 empire funnel riches into his crypto
5:26 wallets. But he made a mistake. Three
5:28 mistakes actually. The first one
5:29 happened on a Tuesday morning when he
5:31 did something incredibly ordinary. He
5:34 ordered pizza. The second mistake, he
5:37 was about to make it in exactly 47 days.
5:39 The thing is, did someone notice? And
5:41 why would ordering pizza matter to the
5:43 FBI? More importantly, what was that
5:45 fail safe? And how would it save him
5:49 when Operation Kronos struck?
5:52 February 19th, 2024,
5:54 London, pre-dawn.
5:57 Inside a fortified cyber command center,
5:59 a dozen analysts watch a wall of
6:02 monitors with grim focus. They've spent
6:04 months hunting the lockpit crew, and
6:07 today they're ready to strike back. At
6:11 exactly 5 a.m. GMT, a coordinated raid
6:14 unfolds across seven countries. In
6:16 Amsterdam, Dutch police swoop into a
6:17 data center and pull the plug on
6:20 critical servers. In Frankfurt, officers
6:22 seize racks of blinking machines
6:24 suspected to be part of Lockbit's
6:26 backend. Simultaneously in the United
6:29 States, France, and beyond, agents hit
6:32 34 targets, web servers, proxy nodes,
6:34 storage drives, any piece of
6:35 infrastructure with lockbits,
6:37 fingerprints. It's the largest ever
6:40 crackdown on a ransomware syndicate. Or
6:42 so they think. Because remember that
6:44 pizza Dmitri ordered? The delivery
6:46 address wasn't his apartment. It was one
6:48 of these data centers. and the name on
6:50 the receipt. That's where things get
6:53 interesting. Within minutes, Dimmitri's
6:56 prized dark web portals go black.
6:59 Lockbit's leak site, once boasting about
7:02 new victims daily, suddenly disappears.
7:05 On an underground forum, affiliates
7:07 frantically message one another, "Server
7:10 not found. What's happening?" Panic
7:12 spreads in the ranks of cyber criminals
7:14 who relied on lockbits platforms to run
7:16 their extortion schemes. For law
7:18 enforcement, this is a very visible
7:21 victory. But they aren't done. In a bold
7:23 twist, investigators had prepared
7:25 something special for the gang's public
7:27 site. Instead of simply shutting it
7:30 down, the UK National Crime Agency
7:32 hijacks it. The infamous countdown
7:34 timers on the Lockpit blog used to
7:36 pressure victims are now ticking towards
7:38 something else.
7:40 Visitors who find the new site see a
7:43 series of leaks about Lockpit itself. In
7:45 place of company names and ransom
7:46 demands, there are snippets of the
7:49 gang's secrets dropped one by one. The
7:52 hunters have turned the tables. One-time
7:54 is labeled lockbit leader identity
7:58 reveal and counts down ominously. For
7:59 the first time, Lockbit Sub feels the
8:02 heat turn back on him. Or does he?
8:04 Because at that exact moment, Dimmitri
8:07 is doing something nobody expected. He's
8:09 smiling and typing just four words into
8:12 a secure chat. Four words that would
8:14 change everything. Over the next few
8:17 days, more blows land. Authorities
8:20 announce arrests. A lockpit affiliate is
8:23 caught in Ukraine. Another in Poland.
8:24 These are hackers who deployed the
8:27 ransomware on victims. Partners in
8:30 Dimmitri's franchise. The dominoes are
8:33 falling. Meanwhile, forensic analysts
8:35 pour over the seized servers. What they
8:38 uncover is a treasure. Lockbit's own
8:40 records. Here's where it gets weird.
8:43 They find a database listing 188
8:46 affiliates and one seized crypto wallet
8:48 alone holds thousands of Bitcoin worth
8:51 tens of millions of dollars.
8:53 Investigators even retrieve hundreds of
8:54 decryption keys for Lockbit Bits
8:57 ransomware. Keys that can free files on
8:59 infected computers. Within a week, a
9:01 free decryptor tool is released to help
9:04 prior victims recover their data,
9:06 robbing lockbit of leverage over those
9:09 targets. In press conferences, officials
9:14 from the FBI, NCA, EU, P all declare a
9:16 major victory. For the first time, it
9:18 looks like the ransomware kingpin has
9:21 been struck a serious blow. But amidst
9:23 the backpadding and headlines, one
9:26 uncomfortable truth looms. The lockpit
9:29 mastermind himself remains in the wind.
9:32 In Veronz, Dmitri watches the seizure
9:35 notices on three separate screens. His
9:38 jaw clenches. Years of work. Gone in 5
9:40 hours. His encrypted phone buzzes
9:43 non-stop. Affiliates demanding answers.
9:45 Some threatening him. His empire is
9:48 hemorrhaging $3 million a day. He stands
9:51 up, walks to his window. Outside,
9:54 Russian snow falls on empty streets. Not
9:56 a single cop car in sight. They can
9:58 seize his servers, but can't touch him
10:02 here. He cracks his knuckles. Types four
10:04 words into a secure chat. Give me 4
10:07 days. 4 days? What will he make in 4 days?
10:10 days?
10:14 On February 24th, 2024, a new Darknet
10:16 address starts circulating in hacker
10:20 circles. Lockbit is back. Despite dozens
10:23 of servers seized, Dmitri had backups.
10:24 He had quietly segmented his
10:27 infrastructure, so operation Kronos only
10:29 knocked out part of his network. Now he
10:32 executes his contingency plan. He spins
10:34 up fresh servers, strengthens passwords,
10:36 and posts a defiant message to his
10:39 affiliates. We're not done. In an online
10:42 chat, Lock Bitsup claims law enforcement
10:44 merely exploited a known bug in some
10:47 outdated software, scoffing that such an
10:49 attack won't work twice. To prevent
10:52 another takedown, he decentralizes
10:54 everything. The Lockbit affiliate portal
10:56 is split across dozens of obscure
10:58 servers, each only accessible to vetted
11:02 partners. He dubbs this Rebuild Lockbit
11:05 4.0, a new version of his empire, more
11:08 resilient and paranoid than ever. The
11:10 comeback comes with theatrical flare.
11:12 The relaunched Lockbit leak site
11:16 brazenly lists a slew of new victims.
11:19 Some are real, some pure bluff. In one
11:22 stunt, the FBI's name appears as a
11:24 victim on the site. An obvious lie, but
11:27 the message is clear. Dimmitri is
11:29 thumbming his nose at the feds. He even
11:31 reposts data from old hacks and makes
11:33 outrageous threats. At one point,
11:35 claiming he'd expose secret documents
11:38 from a Trump related court case. It's
11:41 propaganda meant to make Lockbit Bit
11:43 look as dangerous as ever. But behind
11:46 the bluster, the reality is mixed. The
11:48 Kronos crackdown rattled Dimmitri's
11:51 operation. Internal leaks by police
11:53 reveal embarrassing details. Apparently,
11:55 over half of Lockbit's affiliates never
11:57 received any payout from their hacks.
11:59 Many got scammed or arrested before
12:02 seeing the profits. Wait, let's say that
12:05 again. Over half never got paid. But if
12:08 half the affiliates never got paid, that
12:11 means Dmitri kept roughly 75% of all
12:14 ransom money, not 20% like he claimed.
12:16 These revelations so distrust in
12:19 Dimmitri's ranks, some wouldbe cyber
12:21 criminals start to wonder if partnering
12:25 with Lockbit is worth the risk. May 7th, 2024.
12:27 2024.
12:29 The US Attorney General steps up to a
12:30 podium and unseals a stack of
12:33 indictments. For the first time, Dmitri
12:36 Yuryvich Korv is called out by name as
12:38 the creator and admin of Lockbit Bit.
12:40 The announcement is coordinated with
12:44 allies. The UK and EU issue sanctions,
12:46 freezing any assets Dmitri holds in
12:48 their jurisdictions. The US State
12:50 Department announces a bounty of $10
12:52 million for information leading to his
12:56 arrest. A delicious irony. Dimmitri once
12:58 arrogantly offered $10 million of his
13:00 own to anyone who could dox him,
13:03 convinced he was untraceable. Now that
13:06 exact sum is on his head. But there's
13:08 something about that $10 million bounty
13:10 that doesn't add up. The FBI has paid
13:12 out that exact amount only three times
13:15 in history. All three times the target
13:18 was captured within 60 days. It's been
13:20 200 days since Dimmitri's bounty was
13:23 announced. Why is he still free? The
13:26 answer is simple and terrifying. Someone
13:28 doesn't want him caught. But who and
13:33 why? But exposure is not capture. Back
13:35 in Russia, Dmitri remains a free man
13:37 protected by a government that has never
13:39 extradited its hackers to the west. He
13:42 has little to fear on home soil. In
13:44 fact, as the world condemns him, he
13:47 seems almost to shrug. Reports suggest
13:49 he continues to live openly in his
13:52 hometown. No secret bunker or frantic
13:54 escape. He's literally tending his
13:56 garden. Neighbors see a quiet
13:59 31-year-old going about daily life, even
14:01 as the FBI plasters his name on most
14:03 wanted lists. But unless he makes the
14:05 mistake of vacationing in a country with
14:08 an extradition treaty, Dimmitri is
14:12 untouchable. By early June 2024, barely
14:14 a month after being unmasked, Dmitri
14:16 decides to prove that neither arrests
14:19 nor bounties have slowed him down. In a
14:21 dramatic show of force, Lockpit's new
14:23 iteration claims to breach an
14:24 institution at the core of global
14:27 finance, the US Federal Reserve.
14:29 Remember that first screen flicker 3
14:31 weeks before the attack? That was
14:33 Dimmitri's second mistake, testing his
14:36 access too early. But his third mistake,
14:38 the one that could destroy everything,
14:40 he used the same pizza delivery service
14:43 for his victory celebration. Same fake
14:46 name, same data center address. And this
14:49 time, someone was watching. Someone
14:50 who'd been waiting for exactly this
14:54 pattern. It's a heist that would dwarf
14:57 all others. 33 terabytes of Federal
15:00 Reserve data allegedly in their hands.
15:01 Skeptics wonder if the gang really
15:03 infiltrated the Fed or if they're
15:05 piggybacking on a lesser incident at a
15:08 contractor bank. Either way, the ransom
15:10 demand is made public and the clock
15:12 starts ticking. The hackers post a smug
15:14 note ordering officials to hire a better
15:17 negotiator and ridiculing their offer of $50,000.
15:19 $50,000.
15:21 The implication is clear. Dimmitri
15:23 Korashev, now one of the most wanted men
15:26 on the planet, is openly poking the
15:30 bear. Is he truly untouchable? The once
15:32 invincible king of ransomware, has been
15:34 named and shamed, yet he continues to
15:37 operate in plain sight. Governments
15:39 scrambled his infrastructure and
15:41 splashed his photo across the evening
15:43 news. Yet here he is still dictating
15:46 terms to the West. It seems absurd. It
15:49 feels infuriating and it forces a bleak
15:53 question. After all the takedowns, task
15:55 forces, and talk, can anyone really stop
