LockBit Ransomware Group Hacked, 59,975 Bitcoin Addresses Exposed

The LockBit ransomware operation, one of the most notorious cybercriminal groups, has fallen victim to a significant hack. Unknown attackers breached the gang’s dark web infrastructure, replacing their affiliate panels with a taunting message: “Don’t do crime CRIME IS BAD xoxo from Prague.” This incident, first reported by a threat actor known as Rey, was later analyzed by cybersecurity experts. The breach occurred around April 29, 2025, as indicated by timestamps in the database.

The hackers left a link to download a “paneldb_dump.zip” file, which contained a SQL file from the site’s MySQL database. This file revealed detailed information about the ransomware operation, including 59,975 unique Bitcoin addresses. The exposure of these addresses could significantly aid law enforcement in tracing ransom payments, as each victim is typically assigned a unique address for payment. This allows affiliates to track payments while attempting to conceal connections to their main wallets. With these addresses now public, blockchain investigators and law enforcement can analyze payment patterns and potentially link past ransom payments to known wallets.

The leaked database also included details about the ransomware builds created by LockBit affiliates, with some entries revealing the names of targeted companies. This provides valuable insight into the group’s operations and the extent of their attacks. Additionally, the database exposed 4,442 negotiation messages between LockBit operators and their victims, spanning from December 19 to April 29. These messages offer an unprecedented look into how the group handles extortion, including the tactics and strategies they employ.

The breach also revealed 75 admins and affiliates who had access to the panel, with their passwords stored in plaintext. Examples of these passwords included “Weekendlover69” and “LockbitProud231.” A LockBit operator known as “LockBitSupp” confirmed the breach but claimed that no private keys were leaked and no data was lost. The server was running PHP 8.1.2, which has a known critical vulnerability (CVE-2024-4577) that allows remote code execution. This vulnerability may have been the entry point for the attackers.

The defacement message used in the attack matches one used in a recent breach of the everest ransomware site, suggesting a possible connection between the incidents. This is not the first major setback for LockBit. In 2024, law enforcement agencies conducted Operation cronos, which took down much of the group’s infrastructure. Although they managed to rebuild after that takedown, this new breach deals another blow to their reputation. Other ransomware groups that have experienced similar leaks include conti, Black Basta, and Everest, indicating a trend of hackers targeting criminal organizations.

While LockBit claims no private keys were exposed, the breach has still revealed valuable intelligence about their operations. The leaked information could help authorities identify members of the group and track their financial activities. The exposure of Bitcoin addresses and negotiation messages provides law enforcement with crucial tools to dismantle the group’s operations and bring its members to justice. This incident underscores the ongoing battle between cybercriminals and those working to combat them, highlighting the importance of robust cybersecurity measures and international cooperation in the fight against ransomware.

Ask Aime: "Did LockBit ransomware just get hacked?"