CyberSecurity news
FlagThis
Dissent@DataBreaches.Net
//
The LockBit ransomware group, a major player in the Ransomware-as-a-Service (RaaS) sector, has suffered a significant data breach. On May 7, 2025, the group's dark web affiliate panels were defaced, revealing a link to a MySQL database dump containing sensitive operational information. This exposed data includes Bitcoin addresses, private communications with victim organizations, user credentials, and other details related to LockBit's illicit activities. The defacement message, "Don't do crime CRIME IS BAD xoxo from Prague," accompanied the data leak, suggesting a possible motive of disrupting or discrediting the ransomware operation.
The exposed data from LockBit's affiliate panel is extensive, including nearly 60,000 unique Bitcoin wallet addresses and over 4,400 victim negotiation messages spanning from December 2024 through April 2025. Security researchers have confirmed the authenticity of the leaked data, highlighting the severity of the breach. The LockBit operator, known as "LockBitSupp," acknowledged the breach but claimed that no private keys were compromised. Despite previous setbacks, such as the "Operation Cronos" law enforcement action in February 2024, LockBit had managed to rebuild its operations, making this recent breach a significant blow to their infrastructure.
Analysis of the leaked information has uncovered a list of 20 critical Common Vulnerabilities and Exposures (CVEs) frequently exploited by LockBit in their attacks. These vulnerabilities span multiple vendors and technologies, including Citrix, PaperCut, Microsoft, VMware, Apache, F5 Networks, SonicWall, Fortinet, Ivanti, Fortra, and Potix. Additionally, the leaked negotiations revealed LockBit’s preference for Monero (XMR) cryptocurrency, offering discounts to victims who paid ransoms using this privacy-focused digital currency. Ransom demands typically ranged from $4,000 to $150,000, depending on the scale of the attack.
References :
The exposed data from LockBit's affiliate panel is extensive, including nearly 60,000 unique Bitcoin wallet addresses and over 4,400 victim negotiation messages spanning from December 2024 through April 2025. Security researchers have confirmed the authenticity of the leaked data, highlighting the severity of the breach. The LockBit operator, known as "LockBitSupp," acknowledged the breach but claimed that no private keys were compromised. Despite previous setbacks, such as the "Operation Cronos" law enforcement action in February 2024, LockBit had managed to rebuild its operations, making this recent breach a significant blow to their infrastructure.
Analysis of the leaked information has uncovered a list of 20 critical Common Vulnerabilities and Exposures (CVEs) frequently exploited by LockBit in their attacks. These vulnerabilities span multiple vendors and technologies, including Citrix, PaperCut, Microsoft, VMware, Apache, F5 Networks, SonicWall, Fortinet, Ivanti, Fortra, and Potix. Additionally, the leaked negotiations revealed LockBit’s preference for Monero (XMR) cryptocurrency, offering discounts to victims who paid ransoms using this privacy-focused digital currency. Ransom demands typically ranged from $4,000 to $150,000, depending on the scale of the attack.
Share:
References :
- DataBreaches.Net: CoinPedia reports: “Don’t do crime. CRIME IS BAD. xoxo from Prague.” That’s the message left behind after hackers gave LockBit – a ransomware gang known for extorting millions. Yes, they just got a brutal taste of their own medicine.
- Metacurity: All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip." LockBit ransomware gang hacked, victim negotiations exposed
- Searchlight Cyber: Searchlight’s threat intelligence team shares their early observations from the LockBit data leak On May 7 2025 it was reported that the dark web affiliate panel of the Ransomware-as-a-Service (RaaS) group LockBit has been hijacked.
- www.bitdegree.org: LockBit Hacked: 60,000 Bitcoin Addresses and 4,400 Ransom Chats Go Public
- BleepingComputer: The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.
- hackread.com: LockBit’s dark web domains were hacked, exposing internal data, affiliate tools, and over 60,000 Bitcoin wallets in a…
- Davey Winder: 60,000 Bitcoin Wallets Leaked As LockBit Ransomware Hackers Get Hacked
- www.it-daily.net: LockBit hacker group was hacked
- socradar.io: LockBit Hacked: 60,000 Bitcoin Addresses Leaked
- securityaffairs.com: The LockBit ransomware site was breached, database dump was leaked online
- slcyber.io: Early Analysis of the LockBit Data Leak
- hackread.com: LockBit’s Dark Web Domains Hacked, Internal Data and Wallets Leaked
- The DefendOps Diaries: LockBit Ransomware Gang Hacked: Internal Operations Exposed
- www.scworld.com: Data breach exposes LockBit ransomware gang
- www.itpro.com: LockBit ransomware group falls victim to hackers itself
- Help Net Security: LockBit Hacked: What does the leaked data show?
- Talkback Resources: Valuable information leaked from LockBit ransomware operation's administration panel, revealing details on affiliates, ransom negotiations, and potential infighting within the cybercriminal community.
- ComputerWeekly.com: reports analysis of the LockBit 3.0 data leak
- Tech Monitor: Ransomware group LockBit faces breach, affiliate data exposed
- Graham Cluley: LockBit ransomware gang breached, secrets exposed
- cybersecuritynews.com: The affiliate panel of the infamous LockBit Ransomware-as-a-Service (RaaS) group has been hacked and defaced, showing a link to a MySQL database dump ostensibly containing leaked data relating to the group’s operations.
- bsky.app: LockBit Ransomware Gang Breached, Secrets Exposed