LockBit Ransomware Group Suffers Major Data Breach

A significant breach has exposed the internal systems of LockBit, a notorious global ransomware group, revealing a trove of sensitive information. The incident, which compromised LockBit’s dark web infrastructure, has leaked substantial internal data, including 60,000 Bitcoin addresses, plaintext passwords, ransomware build data, and chat logs detailing the group’s extortion tactics. This breach comes amidst mounting global pressure on cybercrime, including crackdowns by G7 nations and the seizure of laundering platforms.

The breach was first flagged by a threat actor named “Rey,” who released a MySQL database archive titled “paneldb_dump.zip.” This archive contains 20 database tables linked to LockBit’s affiliate operations, including Bitcoin wallet addresses, ransomware configurations, user credentials, and private negotiations with victims. A defacement message left on LockBit’s admin panels mocked the group and provided a direct link to the leaked data. The attack’s method and tone bear a striking resemblance to a recent takedown of the Everest ransomware group, leading to speculation that a vigilante or a rival threat actor might be responsible.

Analysis of the leaked database has provided numerous insights into LockBit’s operations. The nearly 60,000 Bitcoin addresses listed are presumed to be linked to ransom payments or laundering schemes. Configuration tables detailed how LockBit affiliates customized malware builds, including targeting preferences and instructions to bypass certain systems. Over 4,400 chat logs, covering negotiations between LockBit and its victims from December 2024 to April 2025, reveal the vast scale of LockBit’s operations and its aggressive tactics in pressuring companies for ransoms ranging from a few thousand dollars to over $100,000.

The breach also exposed login credentials for 75 users, including affiliates and administrators. Shockingly, all passwords were stored in plaintext, a fundamental security failure that severely undermines LockBit’s claims of technical sophistication. The passwords reportedly included unprofessional and even humorous entries, suggesting a surprisingly casual or arrogant internal security posture. Despite the breach, LockBit’s representative confirmed the incident in private chats but downplayed its impact, claiming that no private decryption keys were leaked and that operational continuity wasn’t compromised.

This breach coincides with intensifying law enforcement activity against crypto-enabled crime. German authorities recently seized €34 million ($38 million) in crypto from eXch, a platform allegedly used to launder funds from the massive Bybit exchange hack earlier this year. The platform reportedly facilitated $1.9 billion in illicit transactions without implementing anti-money laundering measures. On a broader scale, G7 nations are preparing to address the role of cryptocurrency in cybercrime during their upcoming summit, with a key focus on North Korea’s cyber operations, which have used stolen digital assets to support weapons programs.