The LockBit hackers also posted some convincing sample documents that appeared to have been stolen from the Fulton County court systems prior to the takedown last week, according to Georgia-based reporter George Chidi, who wrote about the incident earlier this month. Chidi reported seeing documents that included court files and even documents under seal in specific cases, though none appeared to be related to Donald Trump’s prosecution.
Then on Wednesday, just hours before LockBit’s deadline for the county to pay its ransom expired, the countdown timer for that leak on Lockbit’s website froze, with an added line of text that read, “Timer stopped.” At the promised time of 1:49 PM UTC Thursday, the leak failed to materialize. Instead, all mention of Fulton County was removed from LockBit’s extortion threat site.
That mysterious disappearance leaves the looming question of whether Fulton County paid LockBit’s ransom. The Fulton County officials didn’t respond to multiple inquiries from WIRED asking whether it had paid the hackers, or how much.
Just as likely, however, is that LockBit is bluffing in some sense—that it either doesn’t have the goods it claims or isn’t yet ready to give up on its extortion demand. Robert McArdle, a researcher who leads a cybercrime-focused research team at security firm Trend Micro and was involved in the law enforcement operation against LockBit, says the group’s thus-far empty threat is a sign that it was likely more disrupted by the bust than it wants to admit.
“This appears to be further evidence of the difficulties facing LockBit ever since Op Chronos took place, and should be considered as a sign they are unable to reliably follow through on their statements,” says McArdle. He points out that the victims listed on the group’s new dark web site were all compromised prior to Operation Chronos, and that continuing to threaten them is the group’s attempt to “appear as if everything is normal when most evidence points very much to the contrary.”
There remain other theories, however, that Lockbit might still possess the court’s data, but be seeking to use it in some other way. “They generally don’t lie about victims because they’re so worried about their reputation,” says Analyst1’s DiMaggio. He notes that the decision to take down the leak threat may have been the decision of the “affiliate” hackers who partner with LockBit to penetrate victims like Fulton County and may have different motivations from LockBit itself.
If Fulton County documents do remain in the hands of hackers, and if any of them relate to the Trump case, they could further complicate an already deeply messy trial. The state’s case already been rocked by allegations that the prosecutor in the case, Fulton County district attorney Fanni Willis, had an improper affair with another prosecutor involved in Trump’s prosecution, which the defense has argued should require her dismissal. The compromise of non-public documents in the case could make the proceedings—and the upcoming US presidential elecion—even more chaotic.
“We’re watching with interest to see how the Fulton leak develops,” McArdle’s Trend Micro says. So, no doubt, will the US political sphere—including a certain former president.
Additional reporting by Matt Burgess.
