When he was a teenager, Ruslan Astamirov began hacking for money, earning substantial sums that he hoped would take him away from his remote Russian village and transform his life for the better. Now he is in a cell in a New Jersey correctional facility, wearing a standard-issue gray tracksuit and white sneakers, sitting just a short drive from some of his victims, the businesses and offices of local law enforcement from which he extorted money.
It is a far cry from the idyllic future he aspired to, fueled by American movies and YouTube blogs from Los Angeles that he watched while growing up in the southern Russian region of Chechnya. “[There are] streets with beautiful houses,” he told New Lines from jail. “I wanted a house like that, my own business,” Astamirov recalled.
Twenty-one-year-old Astamirov is accused by U.S. investigators of being an affiliate of LockBit, one of the world’s largest criminal hacking gangs. It is believed to have extorted tens of millions of dollars from businesses across the globe using malicious ransomware that became the most widely deployed in history. After an international police operation significantly disrupted the cybercrime gang’s activities in February 2024, its elusive Russian ringleader Dmitry Khoroshev was unmasked. Parts of its site have since been resurrected. The U.S. government is offering a $10 million reward for any information leading to Khoroshev’s capture.
As a boy, Astamirov was more interested in hiding behind a computer screen than attending school; he dropped out after the ninth grade. He says he entered the world of cybercrime to help his relatives pay off their many debts. Chechnya is relatively poor, and his father, a long-haul truck driver, and mother, a schoolteacher in their village of Chechen-Aul, are now retired.
“I didn’t think it was a real crime,” he later told me during a phone call from prison. “To me, computers were just toys for kids and teenagers.”
Astamirov’s naivete was reinforced by external circumstances. As relations between Washington and Moscow plunged to Cold War-era lows in recent years, Russia fostered an environment in which cybercriminals were emboldened. Russian hackers are usually offered protection at home, safe in the knowledge that Moscow refuses to cooperate with the West and will not extradite its citizens. Hackers also count on Moscow to trade them in prisoner swaps with other countries.
Cybercriminals have long been an immensely useful foreign policy tool for the Russian state. “They create revenue and cause economic disruption in the West,” said Valentin Weber, a senior research fellow at the German Council on Foreign Relations. “This calculus does not change, even if cybercrime members are being prosecuted,” he told me.
Yet Russian hackers now wonder if shifting geopolitics, including Donald Trump’s rapprochement with the Kremlin, will impact their activities and capacity to wreak havoc on global internet security. Under Trump, the U.S. no longer characterizes Russia as a cybersecurity threat.
LockBit’s business model is ransomware-as-a-service, a form of cybercrime in which developers sell malware tools and infrastructure to affiliates on a subscription basis. These in turn use the ransomware to launch their own attacks, aimed at extorting money from victims. The scope of these attacks stretched from New York to Beijing. According to the U.S. Department of Justice, LockBit has had at least 2,500 victims in more than 120 countries, from small businesses to hospitals, critical infrastructure and law enforcement agencies. More than half are in the United States. Its chief, Khoroshev, took a 20% cut of each ransom paid by LockBit victims, amassing at least $100 million between 2019 and 2024, the years it was most active.
In September 2023, two New York hospitals were crippled by a cyberattack, a disruption that forced emergency services to reroute ambulances and postpone most scheduled appointments. In the U.K., six weeks of holding the country’s postal service hostage in 2023 meant no one was able to send or receive a parcel from outside the country. LockBit demanded a ransom of $80 million, called “absurd” by Royal Mail. When the company refused, a LockBit hacker responded that another British company didn’t argue and paid their ransom, and that Royal Mail’s bosses were “very greedy.” (The delivery company instead spent $13 million on boosting systems protection.)
The crimes were relatively straightforward to carry out: After hackers gained access to vulnerable computer systems, they installed ransomware to encrypt data, leaving victims unable to access critical documents until a ransom was paid. The victim would typically receive a message: “Please send bitcoins, and we’ll give you the password [decryption key],” said Belarusian former hacker Dzmitry Naskavets, imagining a conversation between a hacker and their victim. “The honest word of a Russian hacker: ‘Your data won’t be published anywhere. You have two days,’” he said with irony. If victims refused to pay, all sorts of personal data would be published on an open site controlled by LockBit, according to the U.S. Department of Justice.
The DOJ says that between 2020 and 2023, Astamirov targeted at least 12 victims with LockBit ransomware, including in the U.S., Japan and Kenya, extorting $1.9 million. After he was detained by the FBI while attempting to enter the U.S., Astamirov pleaded guilty last July to conspiracy to commit computer and wire fraud as an affiliate of LockBit. He has remained in his New Jersey cell for over a year, awaiting sentencing. He faces a maximum of 25 years behind bars.
Ruslan Astamirov is slender, with short-cropped hair and a goatee. During our conversations, he talked slowly and eagerly; it was clear he had few chances for conversation with people not in the facility. He nervously wrung his fingers as we chatted.
Growing up, his world was pretty limited: Chechen-Aul is a village of about 9,000 people, just 5 miles from the Chechen capital Grozny. It has four mosques, a shopping and entertainment center, and a sports complex on its outskirts. “After school, I didn’t really do anything, just self-education on the computer,” Astamirov recalled. He dreamed of an exit.
On his 2016 profile on “Odnoklassniki,” a popular Russian social networking site, Astamirov posted screenshots from computer games — mostly of shooters. At the time, he was 12. The last thing he wrote on his page that year was: “Don’t wait for a prince on a white horse, wait for a thug in a black Priora,” referring to a type of locally produced Lada car popular in the area. Several smileys accompanied the message.
There were few ways for an underage schoolkid to earn money in his native Chechnya. But shortly after he started working for LockBit in 2020, the cash began rolling in. “When he suddenly got the money, he bought himself a car, bought me a car, a good one,” recalled a relative, who spoke on condition of anonymity. Astamirov’s parents began renovating their house.
When others in Chechen-Aul noticed the Astamirov family’s new wealth, rumors began to spread through the village. A police officer visited the family home, demanding to know where the money had come from. Astamirov’s mother Natalia says that when she asked her son the same question, he replied that he made Bitcoin investments. “And Bitcoin keeps growing, you know?” she told me by phone.
But Astamirov soon wanted more than a new car. The single-story brick houses in Chechen-Aul were nothing like the homes in Los Angeles. Along with his three cousins — Magomed-Emi, Muslim and Viskhan — Astamirov planned an escape to America. They told their families they were heading to Thailand for a vacation, via Dubai. “Just to unwind and experience a different culture,” Astamirov recalled telling them.
But this was a smokescreen. The four cousins knew that if their parents were aware of the truth, they would never let them leave Chechnya. In the spring of 2023, the four Astamirovs flew from Russia to Dubai but didn’t stay long. After a stop in Barcelona and a brief layover in Mexico, they reached the U.S. border at Nogales, a city in southern Arizona. This route is commonly used by Russians seeking asylum in the United States.
The cousins agreed to settle down once they reached America. They planned to rent a house in Los Angeles, buy a truck and go into the transportation business. Astamirov had the money they needed, some $350,000, to fund their entire move from Grozny to Los Angeles. The cousins didn’t even know where it came from, 21-year-old Magomed-Emi told me in a phone call from outside Russia, adding, “Why ask?”
“We planned to apply for political asylum because that was the only semi-legal way to cross into America and stay there,” Astamirov said. “We didn’t even consider visas because, at that time, it was impossible to get one.”
Russia’s full-scale invasion of Ukraine, now in its fourth year, had soured relations with the U.S., but Astamirov knew some men were being taken in on humanitarian grounds — those who refused to harm and kill Ukrainians. He recalled the story they would tell the border guards: “that we were running from the army.”
In truth, while in Russia, Astamirov hadn’t been afraid of being drafted, as his address was officially registered in a small village at the opposite end of Russia.
While at the Mexico-U.S. border, the cousins shared their prepared story with the officers. But it didn’t work; Astamirov was already on the FBI’s radar. “They weren’t even interested, they were focused on investigating my criminal case,” Astamirov said.
The four cousins were sent to an immigration detention center in Arizona, where they spent a few months. “We weren’t scared at all, we were just waiting,” Magomed-Emi recalled.
The cousins never made it to Los Angeles.
Astamirov was transferred from an immigration detention center to a federal prison in June 2023, according to his family. After the arrest, Astamirov agreed to forfeit his assets, including $350,000 in cryptocurrency that he had received from one of his victims, according to the DOJ. His cousins ultimately chose not to seek asylum in the U.S. and agreed to deportation to Russia, said Magomed-Emi. New Lines obtained a photo of a deportation order issued to him, which stipulates a five-year ban on entering the U.S.
It will perhaps never be known if imprisoned Russian hacker Ruslan Astamirov went to the United States for a better life, as he says, or was pressured by his government in ways that may have led him to relocate or flee. State-backed Russian hackers are notorious in the online criminal underworld. The group Sandworm, believed to have ties to the Russian military intelligence agency (the GRU), has snooped on Ukrainian accounts on the Signal messenger app and is behind numerous attacks on its energy facilities, according to Kyiv. In February, Microsoft said a subgroup of Sandworm was behind a multiyear campaign to access the systems of organizations across the U.S. and Europe in the telecommunications and arms industries.
New Lines asked the U.S. Attorney’s Office for the District of New Jersey if Astamirov was coaxed into coming to America as part of a sting operation, but it declined to comment. The DOJ documents pertaining to his case make no mention of espionage.
If Russian law enforcement wanted him to spy on the U.S., his geographical location would be irrelevant, said a former Russian hacker based in North America, who spoke to me on condition of anonymity out of fear of repercussions. “Luring him out could be an option, but I don’t think he is so naive as to fall for some kind of trap. If he was indeed doing what he is accused of, he had money, and I don’t think a job offer [from the U.S. law enforcement agents] would be more attractive than what he was already engaged in.”
Astamirov admitted he was aware of the risk of arrest but had hoped for a shorter sentence: “I didn’t think I was some big player — more like a small fish,” he said. “I thought that even if I got caught, the sentence wouldn’t be that long. … I thought the law here would be similar [to Russia].”
While various types of cybercrime are illegal under Russian law, the maximum penalties range from seven to 10 years behind bars. Sometimes Russian courts don’t even go that far, instead issuing fines or certain restrictions on someone’s movement, including not being allowed to leave their region or municipality, and bans on participating in mass public events.
“I’m ready to serve my time,” Astamirov said. “If they give me a long sentence, there’s nothing I can do — I’ll serve it and return to Chechnya.”
But this rankles his family. “Did I raise him just to give him away to America?” his father, Magomed, said to me.
For someone who installed ransomware for a living, Astamirov was shockingly sloppy with his own digital security. After FBI agents seized his phone, laptop and a USB drive in Arizona last May, they linked him to LockBit through a specific email and IP address, court documents show.
Records obtained by U.S. law enforcement showed that Astamirov used this email address to create multiple online accounts under names that were identical to his own, such as “astamirov_222” and “astamirov_225” on Instagram. U.S. law enforcement alleges that at least four LockBit attacks in 2020 and 2021 were carried out from an IP address controlled by Astamirov. This same IP address was used to access two of his email accounts in 2020.
Khoroshev even commented on Astamirov’s slipshod behavior. “Seeing the methods used to catch partners and the mistakes that lead to their downfall makes me feel very secure about my own ass,” he wrote on Russian cybercrime forum XSS, adding that more than 70% of LockBit partners were “careless and irresponsible about security.”
Jon DiMaggio, chief security strategist at cybersecurity agency Analyst1, said that many ransomware hackers believe they will never be caught and make risky choices regarding their operational security and lifestyle: “This includes travel and often involves living extravagantly, flaunting their money and drawing attention to themselves.” However, the low number of arrests shows that finding and capturing these criminals is still very difficult.
Astamirov admitted that he does not know how to code, although such skills are not necessary for ransomware attacks. Another LockBit member called Bassterlord, who was identified by U.S. authorities in 2024 as Russian national Ivan Kondratyev, wrote two LockBit user manuals, which he sold on cybercrime forums for $10,000 each. In an interview with The Record, a news outlet affiliated with U.S. cybersecurity firm Recorded Future, he explained that, by following these guides, one could launch an attack without any knowledge of programming.
The former Russian hacker who was interviewed for this story agreed that a ransomware attack is possible without coding skills: “Any schoolkid today can go on the darknet, read instructions on ransomware — there are private compilations of these builds available — follow the setup guide exactly as it is, and deploy it.”
According to court documents, none of Astamirov’s victims were from Russia or other former Soviet states. This is no coincidence; Russian-speaking hackers follow a rule often mentioned on forums, “Do not work against RU,” meaning they avoid targeting Russian companies or government institutions. Such attacks would increase the risk of prosecution within Russia.
While some in the Russian hacking community wish to stay loyal to the motherland, for the most part “this has nothing to do with patriotism,” Ilya Sachkov, founder of the Russian cybersecurity company Group-IB, told Forbes Russia in 2020. “It’s simply dangerous to steal where you live.”
In 2023, the Australian government’s Cyber Security Centre said that LockBit’s code includes a language-checking process. If a system or user is set to Russian, Azerbaijani, Armenian, Belarusian, Georgian, Kazakh, Kyrgyz, Tajik, Turkmen, Uzbek or Ukrainian, the ransomware cannot be installed.
“Don’t saw off the tree branch you’re sitting on,” explained the former Russian hacker who spoke anonymously. Targeting Western companies from within Russia feels far less risky, because hackers are aware that their government won’t work with the FBI. Such fearlessness is bolstered by the signal from the Kremlin. “Work your ass off hacking, we’ll trade you back,” explained the Belarusian former hacker Naskavets. “That’s the directive from the Russians, from [Vladimir] Putin,” he added.
After Russian hacker Roman Seleznev was found guilty by a Seattle court of causing more than $169 million in damages in a massive credit card computer fraud scheme, for which he received a 27-year sentence, he appealed to the Kremlin through his lawyer. “As a Russian citizen, I am sending a message to my country’s officials: please help me, I’m begging you.” (His father, Valery, is a prominent lawmaker in Russia’s parliament.) It worked: Seven years after his conviction, Seleznev and fellow prominent cybercriminal Vladislav Klyushin were traded in last year’s historic prisoner swap that freed 15 people from Russia, including Wall Street Journal reporter Evan Gershkovich and former U.S. Marine Paul Whelan.
When it comes to Russian-speaking hackers caught abroad, they usually go down one of two paths, Naskavets said. They can plead guilty, as Astamirov and Seleznev did, and hope for a plea deal later on. Or they can choose to “turn on Russia mode,” where they act “like they’re in Vladivostok, not Seattle,” Naskavets said, adding that playing the Russia card involves refusing to plead guilty, putting their feet up on the prosecutor’s desk and even offering bribes.
Naskavets should know: in 2012, he was convicted in the U.S. for creating an online service using stolen credit and debit card numbers. He faced almost 38 years in prison but took a plea bargain and served 33 months instead. He remained in America and now works in Brooklyn, in the office of his wife Yelena Sharova, a lawyer currently defending Astamirov.
For the time being, although Astamirov is yet to be sentenced, his family in Chechnya feels Russia has their back. His mother Natalia has written to the foreign ministry in Moscow, urging them to help bring her son back home to Russia. She and her husband were visited by someone who said they had information about his case.
“We were informed that, if anything, we’re next. Supposedly. That’s how we understood it. If there’s an exchange, he’ll be traded,” Magomed said, declining to go into detail about the identity of their visitor. But another relative, speaking on condition of anonymity, brushed aside the visit’s importance. “Maybe someone from law enforcement said something. … But there are many people here who promise something, so I didn’t take it seriously.”
In 2023 and 2024, after Astamirov’s arrest, the U.S. brought charges against Russian nationals Mikhail Matveev, Artur Sungatov and Ivan Kondratyev. They are accused of using LockBit to attack organizations worldwide, including American industrial enterprises and the Washington D.C. police. All three have been placed on the FBI’s most-wanted list.
In February last year, the U.K.’s National Crime Agency (NCA), working with the DOJ, the FBI and law enforcement agencies from eight other countries, said it had compromised LockBit’s criminal enterprise. “Operation Cronos” managed to take down 34 LockBit servers across Europe, the U.S. and Australia, as well as freeze more than 200 cryptocurrency accounts linked to the ransomware group.
DiMaggio wrote in a report that, as part of Operation Cronos, the NCA turned the tables on LockBit by using tactics commonly employed by the group: When hackers logged into LockBit’s control panel — the system used to orchestrate attacks — they were met with a personalized message informing them that law enforcement had collected data on their accounts, cryptocurrency wallets, ransom negotiations and even transcripts of their conversations with the group’s leader. Essentially, the hackers had been hacked.
“While new authentic attacks are taking place, LockBit’s reputation has taken a significant hit. The most experienced criminals have moved to other operations,” DiMaggio told me. Law enforcement agencies have not been able to catch all of the group’s so-called partners, estimated by the NCA to number almost 200 people.
In February, shortly after Trump took office, a new prisoner swap took place. Cybercriminal Alexander Vinnik, who had pleaded guilty to conspiracy to commit money laundering, was traded for American schoolteacher Marc Fogel, who was imprisoned in Russia for possession of marijuana. Trump praised the Russians afterward for treating the U.S. so “nicely.”
At the end of last year, the cybercrime community was surprised when Matveev was arrested — not by the Americans, who placed a $10 million bounty on his head, but on home soil by Russian authorities, who charged him with creating a malicious software application to deploy against foreign organizations.
When he was still at large, Matveev had spoken of his worries should the FBI and the Russian Federal Security Service (FSB) begin working together. “If these two structures start cooperating with each other — then I’ll get fucked up, with at least three life sentences,” he told The Record in a 2022 interview. Matveev added that he had “rejoiced with impunity” after Russia’s invasion of Ukraine because he felt it would stop any collaboration between the United States and Russia on cybercrime.
But Matveev’s arrest in December suggested that Russia might be signaling a new willingness to tackle cybercrime to American observers, wrote Dmitry Smilyanets, a Russian former hacker who is currently the product management director at the U.S.-based Recorded Future.
The Russian move may be more symbolic than substantive, however. In December 2024, Matveev was sentenced to just 18 months of restricted freedom, meaning he is not allowed to leave his municipality.
Weber, from the German Council on Foreign Relations, sees Matveev’s arrest and light sentence as part of a familiar pattern. “It is a common game that Russia plays, showing goodwill but secretly doing the exact opposite,” he told me. Despite Russia’s 2019 proposal for a cybercrime convention at the United Nations, which was adopted last year, Russia remains “one of the foremost countries fostering cybercriminal environments,” he added.
For Astamirov, his New Jersey prison doesn’t feel like the country he and his cousins once dreamed of moving to. Instead, he is filled with resentment at America: “This country took me away.”
Now, without having seen Los Angeles — one of the reasons Astamirov hacked in the first place — he wouldn’t mind trading America for Chechnya in an exchange. “If they [the Russian authorities] are willing, I wouldn’t say no,” he said.
Sign up to our mailing list to receive our stories in your inbox.