LockBit Ransomware Gang Breached — Secrets Spilled in Major Takedown

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...
LockBit Ransomware Gang Hacked

An Incidence

The hunter becomes the hunted. LockBit, once the most dominant ransomware-as-a-service (RaaS) syndicate on the dark web, has been shattered from within.

In a dramatic twist, the criminal enterprise infamous for extorting hundreds of millions from global victims has now suffered a severe breach of its infrastructure, exposing internal secrets, negotiation logs, affiliates, and cryptocurrency wallets.

Also Read: Ransomware Unveiled: Key Insights 2024 and Essential Defense Strategies for 2025

The guy who did this left a message behind: “Don’t do crime. CRIME IS BAD. xoxo from Prague.”

On May 8, 2025, cybersecurity communities were stunned to discover that LockBit’s dark web affiliate panels were defaced, all of them replaced with the same taunting message and a link to a .zip file named paneldb_dump.zip. This 7.5 MB archive contained an SQL dump of LockBit’s affiliate panel database, revealing a treasure trove of secrets.

MySQL dump includes LockBit operations from December 2024 to April 29, 2025, namely:

  • 59,975 Bitcoin addresses related to payment for ransom, some of which still have over $100,000.
  • Custom ransomware builds are customised to specific victim companies.
  • Victim profiles, domain names, and revenue estimation.
  • Negotiation transcripts 4,442 messages with the brutal tactics taken by LockBit to force victims to pay ransoms from thousands to over $100,000.
  • 75 affiliate/admin accounts, most of them with plaintext passwords.

The identity of the hacker himself/herself is still unknown, though the clues indicate one actor (or a group of actors) behind the nickname “xoxo from Prague”.

It was the repeated use of the same defacement message that was utilised recently in breach of Everest ransomware’s infrastructure. As speculations are rife, various researchers hold that the attacker might have leveraged a PHP zero-day or one-day vulnerability on LockBit’s web backend to gain access.

According to blockchain security company SlowMist, this PHP vulnerability was more than likely the attack vector.

Why This Matters?

  1. Affiliate Trust Is Crumbling: Ransomware gangs are based on trust between partners. This breach kills the credibility of LockBit, revealing private messages, negotiation behaviour, and user names.
  2. Law Enforcement Jackpot: Wallet addresses, chat logs, and Tox IDs are an intelligence gold mine. Such details can be used to track payments, map affiliations as well as even unmask operators.
  3. Reputation Beyond Repair?: LockBit’s efforts to turn the breach into a plus, identifying that it was “just the light panel”, and to provide bounties for spending this attacker’s identity, only expose how unstable they are.

This leak comes after Operation Cronos in 2024, which, partaken by the FBI, the NCA, and Europol, resulted in the temporary takedown of LockBit’s activities and revealed its head, Dmitry Yuryevich Khoroshev, a Russian national by the name of “LockBitSupp”.

LockBit had fought its way back online after Cronos, but this latest infiltration could just end doing in the group once and for all. “Only the light panel with auto registration was hacked,” LockBitSupp said in a Tox chat with researcher Rey in an attempt to minimize the damage.

Also Read: What is Ransomware? Everything to Know About Ransomware Attacks

However, no amount of PR can wipe off the fact that the law enforcers now have an itinerary of LockBit’s activities, and affiliates have reasons to panic.

Be prepared for arrests and disruptions as the leaked Bitcoin addresses and Tox handles get traced by the investigators. More leaks or retaliatory cyber attacks, particularly, with LockBit’s failure being subject to study of other RaaS groups.

The underground market is slated to split into smaller pieces, as RaaS operations suffer from damage to their reputation and an increase in OPSEC costs.

Conclusion

If even the biggest fish in the ransomware ocean, LockBit, can be hacked and embarrassed, then nobody’s safe. This breach is not just a prize for cybersecurity. It is a shot across the bow for every cybercriminal on the planet.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.