Suspected Developer of Crypters for LockBit and Conti Arrested in Kyiv

A 28-year-old man suspected of collaborating with the Conti and LockBit ransomware groups has been arrested in Kyiv. Authorities believe the detainee developed a crypter for these ransomware operators, helping them evade antivirus detection, and personally carried out at least one attack.

The suspect, a native of the Kharkiv region whose name has not been disclosed, was arrested on April 18, 2024, at the request of the Netherlands as part of a large-scale law enforcement operation codenamed Operation Endgame. During this operation, more than 100 servers used by major malware loaders—including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC—were seized. Since Conti used some of these tools for initial access to compromised machines, the evidence led investigators to the alleged crypter developer.

According to the Ukrainian Cyber Police, the arrested individual is a specialist in developing custom crypters used to package ransomware payloads, making them appear as harmless files undetectable by popular antivirus products. It is believed that he sold his cryptographic services to the Conti and LockBit groups, significantly increasing hackers’ chances of successful attacks on compromised networks.

The Dutch police also reported on the arrest, mentioning a hacking attack on an unnamed Dutch international corporation that involved extortion. Law enforcement stated that in 2021, the suspect personally carried out this extortion attack using Conti malware.

During searches in Kyiv and the Kharkiv region, authorities seized computer equipment, mobile phones, and handwritten notes from the suspect for further examination.

If found guilty of “unauthorized interference with the operation of information (automated), electronic communication, information and communication systems, or electronic communication networks,” the suspect faces up to 15 years in prison.