A significant security breach has exposed critical internal data of the notorious LockBit ransomware organization, revealing almost 60,000 Bitcoin addresses linked to its operations. The attack involved hackers infiltrating LockBit’s dark web infrastructure, defacing affiliate control panels, and leaking sensitive information to the public.
The Details of the Breach
Discovered on May 7, 2025, this cyber intrusion targeted LockBit’s underground servers, resulting in the defacement of affiliate management portals and the release of a comprehensive database containing internal records. The hackers left a provocative message: “Don’t do crime CRIME IS BAD xoxo from Prague,” along with a downloadable MySQL database file named paneldb_dump.zip.
Initially brought to public attention by threat actor ReyXBF, cybersecurity specialists quickly analyzed the breach, uncovering a significant amount of data about LockBit’s operational infrastructure.
According to a report from Bleeping Computer—which is linked in this — the leaked information includes extensive details about LockBit’s ransomware setup. Most notably, it contains nearly 60,000 unique Bitcoin addresses associated with the group.
What Do These Addresses Represent?
These Bitcoin addresses are believed to be linked to ransom payments from victims. Each address typically corresponds to a specific victim, helping LockBit divide and hide the flow of illicit funds. Despite this, LockBit’s operator, known as “LockBitSupp,” has confirmed the breach but claimed that no private keys or additional sensitive data were compromised.
The leak also includes detailed logs of ransomware builds created by affiliates, which cover technical configurations used in different attacks. Furthermore, over 4,400 chat logs reveal negotiations between LockBit operatives and victims, providing insight into ransom negotiations.
Credentials and Technical Vulnerabilities
Among the leaked data are login details for 75 administrators and affiliates, with passwords stored in plaintext, posing a serious security risk. The method used to breach LockBit remains uncertain, but similarities to a recent attack on the Everest ransomware group suggest a common attacker or technique.
Notably, the server was running PHP 8.1.2, which is known to be vulnerable to CVE-2024-4577, a critical security flaw that could have allowed remote code execution—potentially providing the attacker with full control over the server.
Impact and Law Enforcement Response
This breach marks a turning point for LockBit, which has already faced significant setbacks from global law enforcement actions. The 2024 Operation Cronos, led by the U.S. Department of Justice, Europol, and other agencies worldwide, resulted in the disruption of LockBit’s infrastructure, arrest of several members, and the freezing of more than 200 cryptocurrency accounts tied to the group.
In early 2024, authorities seized key websites and negotiation panels used by LockBit, and recovered over 1,000 decryption keys. These keys are now being distributed to victims to help restore access without paying ransom fees.
One of the group's leading developers, Rostislav Panev, was apprehended in Israel and is awaiting extradition to the United States. He is accused of creating malware and other tools for LockBit, receiving over $230,000 in cryptocurrency. His defense claims ignorance about the full extent of the group's activities, but law enforcement considers him a central figure.
The Broader Threat
Since its inception in 2019, LockBit has targeted over 2,500 victims across 120 countries, extorting more than $120 million worldwide. The leak of such extensive operational data could have severe consequences, potentially allowing authorities and cybercriminals to trace and dismantle parts of the group's infrastructure further.
The Future Outlook
This incident underscores the ongoing risks posed by ransomware gangs and the importance of cybersecurity vigilance. It also demonstrates how leaks can serve as both a blow to cybercriminal organizations and valuable intelligence for law enforcement agencies. As more data is analyzed, we can expect continued efforts to track and disrupt these malicious networks.
