Ransomware group LockBit has been struck by a cyberattack that exposed its internal operations. Nearly 60,000 Bitcoin wallet addresses associated with the group’s activities have been leaked, along with thousands of victim communications and detailed records from its backend infrastructure.
The breach, first noticed by cybercriminal researcher Rey late Wednesday, occurred at the end of April 2025. LockBit’s dark web affiliate panels were defaced, replaced by a message that read, “Don’t do crime. CRIME IS BAD xoxo from Prague,” with a link to a MySQL database dump titled “paneldb_dump.zip.”
So LockBit just got pwned … xD pic.twitter.com/Jr94BVJ2DM
— Rey (@ReyXBF) May 7, 2025
“A basic analysis of the database indicates that the dump was created around April 29, suggesting that LockBit was compromised on or before that date and subsequently defaced on May 7,” confirmed Rey.
Data exposure in panel dump
According to Rey, citing an analysis from cybersecurity publication BleepingComputer, there were about 20 tables in the leaked database, including a ‘btc_addresses’ table that listed 59,975 unique Bitcoin wallet addresses connected to LockBit’s ransomware payments.
Other notable data in the leak includes a ‘builds’ table, which details the ransomware payloads created by LockBit affiliates. The table includes public encryption keys and, in some cases, names of targeted companies.
The ‘builds_configurations’ table showed which files or servers affiliates configured their attacks to avoid or encrypt, and several other operational tactics used in previous ransomware campaigns.
As seen in one table dubbed ‘chats,’ there were over 4,400 negotiation messages between LockBit affiliates and victims, spanning from December 19, 2024, to April 29, 2025.
— Ransom-DB (@Ransom_DB) May 8, 2025
The dump also exposes a ‘users’ table listing 75 LockBit administrators and affiliates with access to the group’s backend panel. Security sleuths were shocked to discover that user passwords were stored in plaintext.
Cybersecurity researcher Michael Gillespie mentioned some of the exposed passwords, including “Weekendlover69,” “MovingBricks69420,” and “Lockbitproud231.”
LockBitSupp, a known operator of the LockBit group, confirmed in a Tox chat with Rey that the breach was real. Still, the operator insisted that no private keys or critical data had been lost.
Response From LockBitSupp (This is a translated image): pic.twitter.com/l54g1A5hXz
— Rey (@ReyXBF) May 7, 2025
Alon Gal, Chief Technology Officer at Hudson Rock, said the data also includes custom ransomware builds and some decryption keys. According to Gal, if verified, the keys could help some victims recover their data without paying ransoms.
Exploiting server vulnerabilities
An analysis of the SQL dump revealed the affected server was running PHP 8.1.2, a version vulnerable to a flaw identified as “CVE-2024-4577.” The vulnerability allows remote code execution, which explains how attackers were able to infiltrate and exfiltrate LockBit’s backend systems.
Security professionals believe the style of the defacement message may link the incident to a recent breach of the Everest ransomware site, which used the same “CRIME IS BAD” phrasing. The similarity suggests that the same actor or group may be behind both incidents, though no clear attribution has been confirmed.
The hackers behind the breach have not come forward, but Kevin Beaumont, a UK-based security outfit, said the group DragonForce could be responsible.
“Somebody has hacked LockBit. I’m going to guess DragonForce,” he wrote on Mastodon.
According to the BBC, DragonForce was allegedly involved in several cyberattacks on UK retailers, including Marks & Spencer, Co-op, and Harrods.
In 2024, Operation Cronos, a UK-led multinational effort involving law enforcement agencies from ten countries, including the Federal Bureau of Investigation (FBI) temporarily stopped LockBit’s activities, although the group eventually resurfaced.
The operation reportedly took down 34 servers, confiscated crypto wallets, and uncovered over 1,000 decryption keys.
Law enforcement believes LockBit’s operators are based in Russia, a jurisdiction that would be hard to bring them to justice in. Ransomware gangs centre their operations within Russia’s borders because direct arrests are nearly impossible.
Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now
