Hacker Leaks LockBit Database Containing Wallet Addresses | #ransomware | #cybercrime

See Also: How Generative AI Enables Solo Cybercriminals

On Wednesday, an unknown hacker defaced LockBit’s data leak sites, redirecting them to a page with the following message: “Don’t do crime CRIME IS BAD xoxo from Prague.” That message is the same as the one used to deface the long-running Everest ransomware group’s data leak site at the beginning of April, leading to that long-running group taking the site offline.

In this case, the message is followed by a download link for a 7.5 megabyte compressed paneldb_dump.zip file comprising a SQL database stolen from LockBit that contains data timestamped from December 2024 through April 29.

“While official confirmation is still pending, the data appears legitimate and highly revealing,” Alon Gal said, co-founder and CTO at Hudson Rock.

Cybersecurity researcher Milivoj Rajić told Information Security Media Group that he’s in the time-consuming process of scanning the 59,975 Bitcoin wallet addresses included in the dump. “We clearly see that there is money in some addresses,” he said, finding $100,000 in Bitcoin, after so far scanning only a fraction of those addresses.

Gal said those cryptocurrency wallet addresses could be a “goldmine for law enforcement to trace payments” and by following the money, to unmask affiliates. The dump also includes “detailed victim profiles including domains, estimated revenue and custom ransomware builds,” he said.

The dump includes numerous between multiple affiliates and various victims, IDs for affiliates’ Tox peer-to-peer instant-messaging tool, which could help aid in identifying their other activities, experts said.

“Looking at the leaked chats, we can see how aggressive LockBit was during ransom negotiations,” said Christiaan Beek, senior director of threat analytics at Rapid7. “In some cases, victims were pressured to pay just a few thousand dollars. In others, the group demanded much more: $50,000, $60,000 or even $100,000.”

The leaks reveal more than 35 active affiliates for LockBit since last December, with another 35 having been tagged as “paused,” said French ransomware researcher and journalist Valery Rieß-Marchive in a post to LinkedIn.

Blockchain security firm SlowMist said the “Prague” or “xoxo” hacker who breached LockBit’s administration panel “likely exploited a PHP 0-day or 1-day vulnerability to compromise the web backend and management console.”

The leak follows Operation Cronos, spearheaded by the U.K.’s National Crime Agency and the FBI, one year ago naming and indicting Russian national Dmitry Yuryevich Khoroshev, 32, who stands accused of being the LockBit leader behind the outspoken “LockBitSupp” handle. Law enforcement said it infiltrated the group and obtained copious communications between members, as well as with victims. Authorities also obtained decryption keys for numerous victims, which they released, as well as affiliates’ handles (see: Europol Details Pursuit of LockBit Ransomware Affiliates).

LockBit is already attempting to downplay the damage caused by its latest leak.

LockBitSupp told cybersecurity researcher “Rey” later on Wednesday that “only the light panel with auto registration was hacked, not a single decryptor and stolen company data were damaged.” He also said “bitcoin addresses and conversations” leaked, and that “yes it affects reputation, but recovery from hacking also affects reputation.”

LockBit issued a message stating that a hacker successfully bypassed authentication for a portal that offered automatic registration.

“The database was stolen, but no decryptors or sensitive data from victim companies were involved,” the group claimed. “We are investigating the exact method of intrusion and have initiated the rebuilding process. The main control panel and blog remain operational.”

The message also claimed to offer a reward for the identity of the “Prague” or “xoxo” hacker involved. “If you can provide accurate and reliable information about this person’s identity – I’m willing to pay for it,” it reads.

That may be a weak attempt by the group to try and take control of the narrative, given that the United States offers up to $10 million for information that leads to Khoroshev’s arrest or conviction.

Whether the leaks prove to be the final nail in the coffin for LockBit, which launched in 2019, isn’t clear. Researchers say the group is a shell of its former self, which until last year regularly dominated the monthly count of attacks ascribed to any given group, alongside BlackCat, aka Alphv.

The ransomware market has become “fractured and uncertain,” as demonstrated by the plethora of groups in operation, with none of them claiming vastly more victims than anyone else, ransomware incident firm Coveware, part of Veeam, said in a recent report.

Once sure-fire strategies for ransomware groups haven’t been delivering expected returns, as groups’ collective power to command victims’ attention and compel extortion continues to wane.

Credit goes in no small part to Western law enforcement getting better at disrupting operators, even though many reside in Russia, which has been historically resistant to prosecuting cybercriminals. “Joint law enforcement actions over the last year have systematically impaired the resources ransomware actors depend on to operate,” Coveware said.