U.S. companies made more than $2 billion in ransomware payments between 2022 and 2024, nearly equaling the total ransoms paid in the previous nine years, according to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). The report, which looked at threat pattern and trend information identified in Bank Secrecy Act (BSA) filings, said that between Jan. 1, 2022 and Dec. 31, 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents and totaling more than $2.1 billion in ransomware payments. In the previous nine years, from 2013 to 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments, the report said. FinCEN notes that because its data is based on BSA filings, it is by nature incomplete, and indeed, the 4,194 ransomware incidents recorded by FinCEN between 2022 and 2024 is less than 40% of the nearly 11,000 ransomware attacks recorded in Cyble’s threat intelligence data over the same period.

ALPHV/BlackCat and LockBit Enforcement Actions Lowered Ransomware Payments

Ransomware incidents and payments reported to FinCEN reached an all-time high in 2023 of 1,512 incidents totaling approximately $1.1 billion in payments, an increase of 77 percent in payments from 2022. In 2024, incidents decreased slightly to 1,476 while total payments dropped to approximately $734 million. FinCEN attributed the decline in ransomware payments in 2024 to law enforcement disruption of the ALPHV/BlackCat and LockBit ransomware groups. However, LockBit is in the midst of its most significant comeback since the law enforcement actions disrupted the group, with 21 new victims claimed so far this month. Of the 267 ransomware variants identified during the reporting period, the most common variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. However, Qilin has emerged as the top ransomware group in 2025 by a wide margin, so FinCEN’s 2025 BSA data will almost certainly change. Despite the decline in payments, the value of reported ransomware payments in 2024 was still the third-highest yearly total since the reports began in 2013. The median ransomware payment was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024. Between January 2022 and December 2024, the most common payment range was below $250,000.

Financial Services, Manufacturing and Healthcare Most Targeted Sectors

Measuring both the number of ransomware incidents and the amount of aggregate payments, the financial services, manufacturing and healthcare industries were the most affected during the report period. Between January 2022 and December 2024, the most commonly targeted industries by number of incidents identified in ransomware-related BSA reports were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents). Industries that paid the most in ransoms during the three-year period were financial services (approximately $365.6 million), healthcare (about $305.4 million), manufacturing (approximately $284.6 million), science and technology (about $186.7 million), and retail ($181.3 million). The Onion router (TOR) was the most common communication method used by ransomware groups. About 42 percent of BSA reports indicated the method that ransomware threat actors used to communicate with their targets. Among those reports, 67 percent indicated that ransomware actors used TOR, while 28 percent indicated that ransomware actors used email to communicate with their victims. Bitcoin (BTC) was the most common ransomware-related payment method, accounting for 97 percent of reported payments. Monero (XMR) was cited in two percent of BSA reports involving ransomware. FinCEN also identified several common money laundering typologies used by ransomware groups. Threat actors overwhelmingly collected payments in unhosted convertible virtual currency (CVC) wallets and “continued to exploit CVC exchanges for money laundering purposes after receiving payment,” the report said. Ransomware groups also used “several common preferred malicious cyber facilitators, such as shared initial access vendors,” FinCEN said.

The LockBit ransomware group is making a comeback, with a new data leak site and 21 new victims. LockBit was once the most feared ransomware group, and it still vastly outnumbers other ransomware groups with more than 2,700 claimed victims over its six-year-history, but a series of international law enforcement actions that began in February 2024 severely disrupted the group, and it has struggled to mount a sustained comeback since. LockBit 4.0, released in early 2025, failed to gain much traction and was never completely rolled out, and rivals like Qilin have done well attracting ransomware affiliates with favorable terms like profit sharing and enhanced features. But LockBit 5.0, announced on the underground forum RAMP in September, may be helping the group gain some traction, as it has since launched a new dark web data leak site and claimed new victims, Cyble reported in recent notes to clients. Dec. 8 update: LockBit claimed an additional 14 victims over the weekend since this article was published, raising the group's total to 21 for the month, behind only Qilin and Akira.

LockBit 'Fully Reactivated'

Despite a nearly two-year struggle to regain its footing, LockBit remains by far the most active ransomware group over its six-year history, its 2,757 victims more than double that of its nearest rivals, including Qilin, Akira, Play and CL0P (chart below from Cyble). [caption id="attachment_107448" align="aligncenter" width="1200"] LockBit remains the most dominant ransomware group of all time by a significant margin (Cyble)[/caption] Despite its history and name, LockBit’s comeback route has been a steep one, as arrests, leaked source code and operational leaks have repeatedly hampered comeback attempts and given rivals an advantage. But Cyble reported to clients on Dec. 5 that LockBit has “fully reactivated its public ransomware operations.” The new data leak site launched on November 5 and currently lists 21 new victims, plus several that had been previously claimed by the group. The new LockBit 5.0 variant, internally codenamed “ChuongDong,” has been driving the group’s reemergence. The new ransomware variant includes a complete redevelopment of the ransomware panel and lockers, and the new malware is more modular and offers faster encryption and better evasion of security defenses. Obfuscation is a key feature of the new ransomware version, which targets Linux, Windows and VMware ESXi environments.

LockBit Victims, Sectors and Targeted Countries

One notable new victim claimed by LockBit is an Asian airline providing regional passenger transport and charter services. Another new listing is a major Caribbean real estate company. Looking at the 42 victims claimed by LockBit in 2025 through Dec. 5, what stands out are the sectors and countries targeted, which differ from other leading ransomware groups. LockBit has had surprising success targeting financial services organizations. The group has claimed more victims in the Banking, Financial Services and Insurance (BFSI) sector in 2025 than in other industries (chart below). Overall, financial services isn’t among the top 10 sectors attacked by all ransomware groups, as the BFSI sector typically has stronger cybersecurity controls than other sectors. [caption id="attachment_107450" align="aligncenter" width="1200"] LockBit has had significant success targeting financial services companies (Cyble)[/caption] Also interesting is LockBit’s success targeting organizations in South America (chart below), which differs significantly from other ransomware groups, whose attacks are largely focused on the U.S., Canada and Europe. [caption id="attachment_107452" align="aligncenter" width="1200"] LockBit has had more success in South America than other ransomware groups (Cyble)[/caption] It remains to be seen if LockBit can mount a sustained comeback this time, but the group has a uniquely interesting base to build on. Ransomware affiliates are opportunistic, however, and they tend to gravitate toward the ransomware groups that offer the best chance at profitability and success. LockBit's comeback will depend on its ability to convince affiliates that it deserves to be back among the leaders. Article published on Dec. 5 and updated on Dec. 8 to reflect an increase in recent victims claimed by LockBit from seven to 21.

On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle “Toha.” Here’s a deep dive on what’s knowable about Toha, and a short stab at who got nabbed.

Europol did not name the accused, but published partially obscured photos of him from the raid on his residence in Kiev. The police agency said the suspect acted as a trusted third party — arbitrating disputes between criminals — and guaranteeing the security of transactions on XSS. A statement from Ukraine’s SBU security service said XSS counted among its members many cybercriminals from various ransomware groups, including REvil, LockBit, Conti, and Qiliin.

Since the Europol announcement, the XSS forum resurfaced at a new address on the deep web (reachable only via the anonymity network Tor). But from reviewing the recent posts, there appears to be little consensus among longtime members about the identity of the now-detained XSS administrator.

The most frequent comment regarding the arrest was a message of solidarity and support for Toha, the handle chosen by the longtime administrator of XSS and several other major Russian forums. Toha’s accounts on other forums have been silent since the raid.

Europol said the suspect has enjoyed a nearly 20-year career in cybercrime, which roughly lines up with Toha’s history. In 2005, Toha was a founding member of the Russian-speaking forum Hack-All. That is, until it got massively hacked a few months after its debut. In 2006, Toha rebranded the forum to exploit[.]in, which would go on to draw tens of thousands of members, including an eventual Who’s-Who of wanted cybercriminals.

Toha announced in 2018 that he was selling the Exploit forum, prompting rampant speculation on the forums that the buyer was secretly a Russian or Ukrainian government entity or front person. However, those suspicions were unsupported by evidence, and Toha vehemently denied the forum had been given over to authorities.

One of the oldest Russian-language cybercrime forums was DaMaGeLaB, which operated from 2004 to 2017, when its administrator “Ar3s” was arrested. In 2018, a partial backup of the DaMaGeLaB forum was reincarnated as xss[.]is, with Toha as its stated administrator.

CROSS-SITE GRIFTING

Clues about Toha’s early presence on the Internet — from ~2004 to 2010 — are available in the archives of Intel 471, a cyber intelligence firm that tracks forum activity. Intel 471 shows Toha used the same email address across multiple forum accounts, including at Exploit, Antichat, Carder[.]su and inattack[.]ru.

DomainTools.com finds Toha’s email address — toschka2003@yandex.ru — was used to register at least a dozen domain names — most of them from the mid- to late 2000s. Apart from exploit[.]in and a domain called ixyq[.]com, the other domains registered to that email address end in .ua, the top-level domain for Ukraine (e.g. deleted.org[.]ua, lj.com[.]ua, and blogspot.org[.]ua).

Nearly all of the domains registered to toschka2003@yandex.ru contain the name Anton Medvedovskiy in the registration records, except for the aforementioned ixyq[.]com, which is registered to the name Yuriy Avdeev in Moscow.

This Avdeev surname came up in a lengthy conversation with Lockbitsupp, the leader of the rapacious and destructive ransomware affiliate group Lockbit. The conversation took place in February 2024, when Lockbitsupp asked for help identifying Toha’s real-life identity.

Lockbitsupp didn’t share why he wanted Toha’s details, but he maintained that Toha’s real name was Anton Avdeev. I declined to help Lockbitsupp in whatever revenge he was planning on Toha, but his question made me curious to look deeper.

It appears Lockbitsupp’s query was based on a now-deleted Twitter post from 2022, when a user by the name “3xp0rt” asserted that Toha was a Russian man named Anton Viktorovich Avdeev, born October 27, 1983.

Searching the web for Toha’s email address toschka2003@yandex.ru reveals a 2010 sales thread on the forum bmwclub.ru where a user named Honeypo was selling a 2007 BMW X5. The ad listed the contact person as Anton Avdeev and gave the contact phone number 9588693.

A search on the phone number 9588693 in the breach tracking service Constella Intelligence finds plenty of official Russian government records with this number, date of birth and the name Anton Viktorovich Avdeev. For example, hacked Russian government records show this person has a Russian tax ID and SIN (Social Security number), and that they were flagged for traffic violations on several occasions by Moscow police; in 2004, 2006, 2009, and 2014.

Astute readers may have noticed by now that the ages of Mr. Avdeev (41) and the XSS admin arrested this month (38) are a bit off. This would seem to suggest that the person arrested is someone other than Mr. Avdeev, who did not respond to requests for comment.

A FLY ON THE WALL

For further insight on this question, KrebsOnSecurity sought comments from Sergeii Vovnenko, a former cybercriminal from Ukraine who now works at the security startup paranoidlab.com. I reached out to Vovnenko because for several years beginning around 2010 he was the owner and operator of thesecure[.]biz, an encrypted “Jabber” instant messaging server that Europol said was operated by the suspect arrested in Kiev. Thesecure[.]biz grew quite popular among many of the top Russian-speaking cybercriminals because it scrupulously kept few records of its users’ activity, and its administrator was always a trusted member of the community.

The reason I know this historic tidbit is that in 2013, Vovnenko — using the hacker nicknames “Fly,” and “Flycracker” — hatched a plan to have a gram of heroin purchased off of the Silk Road darknet market and shipped to our home in Northern Virginia. The scheme was to spoof a call from one of our neighbors to the local police, saying this guy Krebs down the street was a druggie who was having narcotics delivered to his home.

I happened to be lurking on Flycracker’s private cybercrime forum when his heroin-framing plan was carried out, and called the police myself before the smack eventually arrived in the U.S. Mail. Vovnenko was later arrested for unrelated cybercrime activities, extradited to the United States, convicted, and deported after a 16-month stay in the U.S. prison system [on several occasions, he has expressed heartfelt apologies for the incident, and we have since buried the hatchet].

Vovnenko said he purchased a device for cloning credit cards from Toha in 2009, and that Toha shipped the item from Russia. Vovnenko explained that he (Flycracker) was the owner and operator of thesecure[.]biz from 2010 until his arrest in 2014.

Vovnenko believes thesecure[.]biz was stolen while he was in jail, either by Toha and/or an XSS administrator who went by the nicknames N0klos and Sonic.

“When I was in jail, [the] admin of xss.is stole that domain, or probably N0klos bought XSS from Toha or vice versa,” Vovnenko said of the Jabber domain. “Nobody from [the forums] spoke with me after my jailtime, so I can only guess what really happened.”

N0klos was the owner and administrator of an early Russian-language cybercrime forum known as Darklife[.]ws. However, N0kl0s also appears to be a lifelong Russian resident, and in any case seems to have vanished from Russian cybercrime forums several years ago.

Asked whether he believes Toha was the XSS administrator who was arrested this month in Ukraine, Vovnenko maintained that Toha is Russian, and that “the French cops took the wrong guy.”

WHO IS TOHA?

So who did the Ukrainian police arrest in response to the investigation by the French authorities? It seems plausible that the BMW ad invoking Toha’s email address and the name and phone number of a Russian citizen was simply misdirection on Toha’s part — intended to confuse and throw off investigators. Perhaps this even explains the Avdeev surname surfacing in the registration records from one of Toha’s domains.

But sometimes the simplest answer is the correct one. “Toha” is a common Slavic nickname for someone with the first name “Anton,” and that matches the name in the registration records for more than a dozen domains tied to Toha’s toschka2003@yandex.ru email address: Anton Medvedovskiy.

Constella Intelligence finds there is an Anton Gannadievich Medvedovskiy living in Kiev who will be 38 years old in December. This individual owns the email address itsmail@i.ua, as well an an Airbnb account featuring a profile photo of a man with roughly the same hairline as the suspect in the blurred photos released by the Ukrainian police. Mr. Medvedovskiy did not respond to a request for comment.

My take on the takedown is that the Ukrainian authorities likely arrested Medvedovskiy. Toha shared on DaMaGeLab in 2005 that he had recently finished the 11th grade and was studying at a university — a time when Mevedovskiy would have been around 18 years old. On Dec. 11, 2006, fellow Exploit members wished Toha a happy birthday. Records exposed in a 2022 hack at the Ukrainian public services portal diia.gov.ua show that Mr. Medvedovskiy’s birthday is Dec. 11, 1987.

The law enforcement action and resulting confusion about the identity of the detained has thrown the Russian cybercrime forum scene into disarray in recent weeks, with lengthy and heated arguments about XSS’s future spooling out across the forums.

XSS relaunched on a new Tor address shortly after the authorities plastered their seizure notice on the forum’s  homepage, but all of the trusted moderators from the old forum were dismissed without explanation. Existing members saw their forum account balances drop to zero, and were asked to plunk down a deposit to register at the new forum. The new XSS “admin” said they were in contact with the previous owners and that the changes were to help rebuild security and trust within the community.

However, the new admin’s assurances appear to have done little to assuage the worst fears of the forum’s erstwhile members, most of whom seem to be keeping their distance from the relaunched site for now.

Indeed, if there is one common understanding amid all of these discussions about the seizure of XSS, it is that Ukrainian and French authorities now have several years worth of private messages between XSS forum users, as well as contact rosters and other user data linked to the seized Jabber server.

“The myth of the ‘trusted person’ is shattered,” the user “GordonBellford” cautioned on Aug. 3 in an Exploit forum thread about the XSS admin arrest. “The forum is run by strangers. They got everything. Two years of Jabber server logs. Full backup and forum database.”

GordonBellford continued:

And the scariest thing is: this data array is not just an archive. It is material for analysis that has ALREADY BEEN DONE . With the help of modern tools, they see everything:

Graphs of your contacts and activity.
Relationships between nicknames, emails, password hashes and Jabber ID.
Timestamps, IP addresses and digital fingerprints.
Your unique writing style, phraseology, punctuation, consistency of grammatical errors, and even typical typos that will link your accounts on different platforms.

They are not looking for a needle in a haystack. They simply sifted the haystack through the AI sieve and got ready-made dossiers.