Human intelligence gathering isn’t typically a need-to-know skill in cybersecurity. But it is for Analyst1 Chief Security Strategist Jon DiMaggio, who befriended—and then doxxed—the leader of LockBit.
At DEF CON 32 in Las Vegas, DiMaggio told attendees how he spent years infiltrating the ransomware gang using numerous sock puppet accounts. After burning those personas in a January 2023 report on his findings, DiMaggio was even able to keep up a relationship with the gang’s leader, “LockBitSupp,” under his real name.
When US authorities identified and charged a Russian national named Dmitry Khoroshev as LockBitSupp in May 2024—and the UK’s National Crime Agency (NCA) seized LockBit’s site with an international task force, Operation Cronos—DiMaggio already knew his name. IT Brew caught up with DiMaggio after his talk to discuss the role of human intelligence in cybersecurity, why it works, and the war on ransomware.
This interview has been edited for length and clarity.
This kind of human intelligence, does it have a role in more typical security work, or is it primarily for these more bespoke things that you’re able to do?
I will say, there’s a lot of risk that goes in with the human side…Personal exposure, threats of everything from swatting, to acts of violence, to doxxing you and putting all your personal information out there.
So it’s not in your traditional security work, but it is expanding. [There are] other use cases where it comes in very handy—the companies that are trying to gain access to data logs, stolen data, things of that nature, or new malware that might be for sale. Creating these profiles, engaging with threat actors, doing what’s called controlled buys, where you go in to either buy malware…or even just to get a data sample to validate if the threat actor actually has what they say they do.
How do you make sock puppets credible without actually being able to engage in any kind of cyber crime?
There’s two approaches to that. One, you fake it until you can’t, and then you get burned. That’s why you always have to have development puppets—because every account you make, it’s got a lifespan, and at some point it’s going to become obvious you’re not a criminal.
But one way to get around that is called account hijack, and that’s where you look for, like, a mid-level cyber criminal. When I say mid-level, I mean somebody who’s not dominating the forms of conversation, but has been around here and there enough that people know who they are. And then what you do is you create an account on a peer forum, and you mimic their screen name, and you pretend to be them. Now, the lifespan of those are even shorter, so those have to be used, very targeted, for very specific purposes…but they can be very effective.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Why do you think these actors are still so vulnerable to targeted stings like this?
Honestly? Comes down to human psychology. A lot of these people haven’t been treated well in their life. They haven’t gotten a whole lot of attention. And when you know what those vulnerabilities are, and you cater your persona to those vulnerabilities, you can become very appealing to where they almost want to become friends with you…A lot of people hear that when I talk about the psychology of it, and they think that’s just fluffy words. But it’s really, really not.
You can also look at the NCA, see how they used strong psychological tactics in Operation Cronos on LockBit. It’s been extremely effective in tarnishing their brand and breaking trust for their affiliates.
Does the takedown make you any more confident that these efforts are having an overall impact on ransomware?
No. You have to look at the wins for what they are. We don’t really have the ability to arrest people, it just doesn’t happen, because they’re in Russia.
You compare Operation Cronos to previous takedowns, one of the biggest things you’ll see is how they stage things, how they sort of trolled and taunted the adversary and dwindled putting things out, did it spaced out over time…That’s what the NCA did in this attack, is they made them feel the way that their victims feel.
The people that are expecting, ‘Oh, this isn’t effective, because they’re just standing up a new site,’ they’re not understanding the big picture, baby steps. We gotta work with what we have. And this is like the war on drugs.