TLDR:
- LockBit ransomware gang’s dark web affiliate panels were hacked and defaced
- Almost 60,000 Bitcoin addresses tied to LockBit’s operations were leaked
- A MySQL database dump revealed 4,442 victim negotiation messages
- No Bitcoin private keys were exposed in the breach
- The hack may be linked to a recent Everest ransomware site breach
The LockBit ransomware gang has suffered a major security breach. Hackers broke into the group’s dark web affiliate panels and defaced them with a message: “Don’t do crime CRIME IS BAD xoxo from Prague.” The attack has exposed nearly 60,000 Bitcoin addresses connected to LockBit’s ransomware operations.
So LockBit just got pwned … xD pic.twitter.com/Jr94BVJ2DM
— Rey (@ReyXBF) May 7, 2025
The hackers shared a MySQL database dump online. This dump contained many tables with important information about LockBit’s activities. The breach happened around April 29, 2025, based on timestamps in the leaked data.
LockBit is one of the most feared ransomware groups. They use malware to lock victims’ files or computer systems. The group then demands payment, often in Bitcoin, to provide a decryption key.
In February 2024, ten countries launched a joint operation called “Operation Cronos” to disrupt LockBit. Authorities said the group had caused billions in damages to key infrastructure. Despite this effort, LockBit managed to rebuild and resume operations.
What Was Leaked
The database contained twenty tables with various types of information. One table named “btc_addresses” held 59,975 unique Bitcoin addresses used in ransomware attacks. Another table called “builds” contained information about individual ransomware builds created by LockBit’s affiliates.
The “chats” table proved very revealing. It contained 4,442 negotiation messages between the ransomware group and their victims. These messages dated from December 19 to April 29.
A “users” table listed 75 admins and affiliates with access to the panel. Security researchers noted that passwords were stored in plaintext. Some example passwords included “Weekendlover69,” “MovingBricks69420,” and “Lockbitproud231.”
No Bitcoin private keys were included in the leak. A LockBit operator known as “LockBitSupp” confirmed the breach in a conversation but claimed no private keys or data were lost.
The leak will help blockchain analysts trace the group’s illicit financial flows. Each victim is typically assigned a unique address to pay their ransom. This system allows LockBit’s affiliates to monitor payments while trying to hide connections to their main wallets.
The exposed addresses will help law enforcement and blockchain investigators track patterns. They may also link past ransom payments to known wallets.
It’s unclear who was behind the breach or how they got into LockBit’s systems. However, experts noticed that the defacement message matched one used in a recent breach of the Everest ransomware site. This suggests a possible link between the two incidents.
The server was running PHP 8.1.2, which has a known vulnerability (CVE-2024-4577). This flaw can be exploited for remote code execution on servers.
This breach follows other ransomware groups that have experienced similar leaks, including Conti, Black Basta, and Everest. The leak is another blow to LockBit’s reputation, which was already damaged by Operation Cronos.
The impact of this breach on LockBit’s future operations remains to be seen.
Stay Ahead of the Market with Benzinga Pro!
Want to trade like a pro? Benzinga Pro gives you the edge you need in today's fast-paced markets. Get real-time news, exclusive insights, and powerful tools trusted by professional traders:
- Breaking market-moving stories before they hit mainstream media
- Live audio squawk for hands-free market updates
- Advanced stock scanner to spot promising trades
- Expert trade ideas and on-demand support
