TLDR
- LockBit ransomware gang’s dark web affiliate panels were hacked and defaced with message “Don’t do crime CRIME IS BAD xoxo from Prague”
- Nearly 60,000 Bitcoin addresses were exposed in a leaked MySQL database dump
- The leak included 4,442 negotiation messages between the gang and victims
- No private keys were stolen according to LockBit operators
- The hack may be linked to a recent breach of Everest ransomware’s site
The LockBit ransomware operation, one of the most feared cybercriminal groups, has been hacked. Unknown attackers breached the gang’s dark web infrastructure and replaced their affiliate panels with a taunting message: “Don’t do crime CRIME IS BAD xoxo from Prague.”
The hackers left a link to download a “paneldb_dump.zip” file. This archive contained a SQL file from the site’s MySQL database with detailed information about the ransomware operation.
The breach was first reported by a threat actor known as Rey and later analyzed by cybersecurity experts at BleepingComputer. The incident occurred sometime around April 29, 2025, based on timestamps in the database.
So LockBit just got pwned … xD pic.twitter.com/Jr94BVJ2DM
— Rey (@ReyXBF) May 7, 2025
What Was Exposed
The leaked database contained twenty tables with valuable information about LockBit’s operations. Most concerning was the exposure of 59,975 unique Bitcoin addresses, which could help law enforcement trace ransom payments.
The database also revealed details about the ransomware builds created by LockBit affiliates. Some entries included the names of targeted companies, providing insight into who had been attacked.
Perhaps most damaging was the leak of 4,442 negotiation messages between LockBit operators and their victims. These messages spanned from December 19 to April 29, giving unprecedented insight into how the group handles extortion.
The leak even exposed 75 admins and affiliates who had access to the panel. Security researcher Michael Gillespie noted that their passwords were stored in plaintext, with examples including “Weekendlover69” and “LockbitProud231.”
A LockBit operator known as “LockBitSupp” confirmed the breach in a conversation with Rey but claimed no private keys were leaked and no data was lost.
The server was running PHP 8.1.2, which has a known critical vulnerability (CVE-2024-4577) that allows remote code execution. This may have been the entry point for attackers.
The defacement message used in the attack matches one used in a recent breach of the Everest ransomware site, suggesting a possible connection between the incidents.
This is not the first major setback for LockBit. In 2024, law enforcement agencies conducted Operation Cronos, which took down much of the group’s infrastructure. Although they managed to rebuild after that takedown, this new breach deals another blow to their reputation.
Other ransomware groups that have experienced similar leaks include Conti, Black Basta, and Everest, showing a trend of hackers targeting criminal organizations.
The exposure of Bitcoin addresses is particularly interesting as it highlights cryptocurrency’s role in ransomware operations. Typically, each victim is assigned a unique address for payment, allowing affiliates to track payments while trying to hide connections to their main wallets.
With these addresses now public, blockchain investigators and law enforcement can analyze payment patterns and potentially link past ransom payments to known wallets.
While LockBit claims no private keys were exposed, the breach has still revealed valuable intelligence about their operations. The leaked information could help authorities identify members of the group and track their financial activities.
