OFAC Sanctions LockBit Ransomware Leader in Global Crackdown
OFAC has designated Dmitry Yuryevich Khoroshev as the leader of the LockBit ransomware group, imposing strict sanctions prohibiting any transactions, including ransom payments.

Treasury Imposes Sweeping Sanctions on LockBit Ransomware Administrator
**Washington D.C.** – The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced on May 7, 2024, the designation of Dmitry Yuryevich Khoroshev, a Russian national, as the administrator and developer of the notorious LockBit ransomware group. The action, part of a coordinated international effort, aims to disrupt one of the world's most prolific and destructive cybercrime syndicates. These **LockBit ransomware sanctions** represent a significant step in holding cybercriminals accountable and signal a clear prohibition on paying ransoms to the group.
The designation was conducted in close partnership with the U.S. Department of Justice (DOJ), the United Kingdom’s National Crime Agency (NCA), and the Australian Federal Police (AFP). Concurrently, the DOJ unsealed a 26-count indictment against Khoroshev, and the U.S. Department of State announced a reward of up to $10 million for information leading to his arrest or conviction.
The Designation: Key Details
* **Issuing Authority:** U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) * **Designated Individual:** Dmitry Yuryevich Khoroshev * **Date of Designation:** May 7, 2024 * **Basis for Sanctions:** Khoroshev was designated pursuant to Executive Order 13694, as amended, for being responsible for or complicit in cyber-enabled activities that pose a significant threat to the national security, foreign policy, or economic health of the United States. * **Associated Group:** LockBit * **Typology:** Ransomware-as-a-Service (RaaS) operator, developer, and administrator.
This action builds on "Operation Cronos," a February 2024 operation led by the NCA that seized control of LockBit’s primary platform and compromised its entire criminal enterprise. During that operation, law enforcement gained control of the group's darknet leak site, using it to expose LockBit's operations and data.
The LockBit Threat: A Prolific RaaS Operation
Since its emergence around 2019, LockBit has operated a Ransomware-as-a-Service model. In this structure, Khoroshev and his associates developed the ransomware code and infrastructure, which they then licensed to a global network of affiliates. These affiliates conduct the attacks, and the profits—extorted through ransom payments—are split between the affiliates and the LockBit administrators.
According to the DOJ indictment, LockBit has been deployed against over 2,500 victims worldwide, including at least 1,800 in the United States. Victims range from individuals and small businesses to multinational corporations, hospitals, schools, and government agencies. The group and its affiliates have extorted over $500 million in ransom payments and have caused billions of dollars in broader economic damages related to data recovery and operational downtime.
Compliance Implications of the LockBit Ransomware Sanctions
The designation of Khoroshev carries significant compliance obligations for all U.S. persons and entities, as well as potential risks for foreign financial institutions.
* **Asset Blocking:** All property and interests in property of Dmitry Yuryevich Khoroshev that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. This includes any cryptocurrency wallets or financial accounts known to be owned or controlled by him. * **Prohibition on Transactions:** The sanctions explicitly prohibit any U.S. person from engaging in transactions with Khoroshev. This includes the payment of ransoms. Any company that pays a ransom to LockBit or its affiliates risks violating U.S. sanctions law, which can result in substantial civil and criminal penalties. * **Facilitation Risk:** Aiding, abetting, or conspiring to violate these sanctions is prohibited. This extends to financial institutions, cyber incident response firms, and digital forensics companies that might facilitate a ransom payment on behalf of a victim. * **Secondary Sanctions Exposure:** OFAC has made clear that foreign persons, including foreign financial institutions, risk sanctions themselves if they knowingly facilitate significant transactions or provide material support to Khoroshev. This extends the reach of the sanctions beyond U.S. jurisdiction and pressures the global financial system to isolate the designated individual.
Compliance Takeaway
For compliance officers and legal counsel, this action serves as a critical reminder of the intersection between cybersecurity and sanctions regulations. Financial institutions and corporations must ensure their sanctions screening programs are immediately updated to include Dmitry Yuryevich Khoroshev. Furthermore, corporate incident response plans must be reviewed to explicitly forbid ransom payments to sanctioned ransomware groups. This designation, coupled with the ongoing international law enforcement campaign, underscores a global commitment to dismantling the RaaS ecosystem and holding its key actors accountable.
FAQ: Understanding the LockBit Sanctions
Who is Dmitry Yuryevich Khoroshev? Dmitry Yuryevich Khoroshev is a Russian national identified by a coalition of international law enforcement agencies as the creator, developer, and administrator of the LockBit ransomware group.
What is the LockBit ransomware group? LockBit is one of the world's most active and destructive ransomware groups, operating a Ransomware-as-a-Service (RaaS) model. It provides its malicious software to affiliates who carry out attacks, and the ransom profits are shared with the LockBit administrators.
What do OFAC's LockBit ransomware sanctions mean for businesses? These sanctions legally prohibit U.S. persons and companies from conducting any financial transactions with the designated individual, Dmitry Khoroshev. This includes a strict ban on making ransom payments to LockBit, as doing so would constitute a violation of U.S. law and could lead to severe penalties.
Can my company pay a ransom to LockBit? No. Following the OFAC designation of its leader, paying a ransom to LockBit is illegal for any U.S. person or entity. Federal agencies like the FBI and CISA have long advised against paying ransoms, as it encourages further criminal activity and does not guarantee data recovery. This sanction now adds a legal prohibition to that guidance.
Stay ahead of the next enforcement action
Free weekday newsletter on indictments, sanctions, exploits, and rulings — for lawyers, journalists, and investigators.

OFAC LockBit Sanctions Target Leader Dmitry Khoroshev in Global Takedown
OFAC has sanctioned LockBit ransomware leader Dmitry Khoroshev, designating his person and crypto addresses on the SDN list as part of a coordinated international action.

US & UK Impose New Russian Crypto Sanctions on Fintech Firms
OFAC and the UK's OFSI have issued new Russian crypto sanctions against fintech firms and virtual asset providers facilitating sanctions evasion. Learn the compliance implications.

US & UK Impose LockBit Ransomware Sanctions on Leader
The U.S. and UK have imposed coordinated financial sanctions on Dmitry Yuryevich Khoroshev, the alleged leader of the prolific LockBit ransomware-as-a-service group.

OFAC Imposes Sinbad Mixer Sanctions for Lazarus Group Laundering
U.S. Treasury designates cryptocurrency mixer Sinbad.io for its role in laundering over $100 million in stolen assets for North Korea's Lazarus Group.
