In a new series of actions targeting LockBit ransomware actors and the group’s infrastructure, police arrested four suspects and seized servers critical for LockBit’s infrastructure.

According to Europol, a suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities apprehended two individuals for supporting the activity of a LockBit affiliate.

The Spanish police seized nine servers, part of the ransomware’s infrastructure, and arrested an administrator of a bulletproof hosting service used by the ransomware group. In addition, Australia, the United Kingdom and the United States implemented sanctions against an actor who UK’s National Crime Agency had identified as prolific affiliate of LockBit and strongly linked to the Evil Corp cybercrime syndicate. The UK authorities sanctioned fifteen other Russian citizens for their involvement in Evil Corp’s criminal activities, while the US also sanctioned six citizens and Australia sanctioned two.

The NCA’s in-depth investigation revealed Evil Corp’s extensive history, beginning as a Moscow-based financial crime syndicate and evolving into a major cybercrime organization responsible for extorting over $300 million from global victims, including healthcare institutions and government agencies.

Evil Corp's alleged leaders, Maksim Yakubets and Igor Turashev, were indicted in the United States in 2019 and subsequently sanctioned. Their criminal activities, including the deployment of BitPaymer and Dridex malware, targeted financial institutions across more than 40 countries. The latest UK sanctions expand the list of designated individuals, including Yakubets' father and father-in-law, who were instrumental in enabling Evil Corp’s operations.

One key figure now under international scrutiny is Aleksandr Ryzhenkov, a close associate of Yakubets. Ryzhenkov has been identified as a LockBit affiliate through Operation Cronos, an NCA-led global initiative to dismantle the ransomware network. Investigators uncovered Ryzhenkov’s involvement in numerous LockBit attacks, and the US Department of Justice has charged him with using BitPaymer ransomware to target American organizations.

While LockBit had previously distanced itself from Evil Corp’s activities, the sanctions and arrests indicate a deeper connection, with affiliates crossing between different criminal organizations to evade law enforcement and maintain their illicit operations.

Evil Corp’s long-standing ties to the Russian state have also come under the spotlight. Eduard Benderskiy, Yakubets’ father-in-law and a former FSB official, played a key role in fostering Evil Corp's relationship with Russian intelligence, enabling cyberattacks and espionage against NATO allies. Despite disruptions caused by US sanctions in 2019, Benderskiy’s influence helped protect the group from internal Russian authorities.

However, the 2019 sanctions disrupted Evil Corp’s operations, forcing the syndicate to adapt its tactics and develop new ransomware strains such as WastedLocker and PhoenixLocker. Many members of the group shifted towards using ransomware developed by other criminal networks, such as LockBit, rather than their own proprietary tools.