Victim negotiations and internal data leaked in major breach
The notorious LockBit ransomware gang has fallen victim to a serious data breach, exposing sensitive information from its operations and internal infrastructure.
The breach, which has defaced the group’s dark web affiliate panels, includes the leak of a MySQL database dump containing critical records related to the gang’s activities.
The defaced admin panels now display a taunting message: “Don’t do crime CRIME IS BAD xoxo from Prague,” accompanied by a link to download an archive titled “paneldb_dump.zip.”
The breach was first identified by the threat actor known as Rey, who uncovered the link and archive, which includes a SQL dump from LockBit’s affiliate panel.
Analysis of the leaked MySQL database, conducted by BleepingComputer, revealed the dump contains 20 tables, with several offering rare insights into the inner workings of the LockBit operation:
- ‘btc_addresses’ Table: Contains 59,975 unique Bitcoin addresses, likely used for ransom payments and laundering transactions.
- ‘builds’ Table: Lists individual ransomware builds created by affiliates. While public encryption keys are included, no private keys are present. Some rows name the targeted companies, adding another layer of exposure.
- ‘builds_configurations’ Table: Outlines specific build settings, including instructions to skip certain ESXi servers or encrypt particular files, giving clues to the attackers’ tactics.
- ‘chats’ Table: Perhaps the most damning, this table includes 4,442 negotiation messages between LockBit operators and victims, spanning from 19th December 2024 to 29th April 2025. These logs provide an unfiltered look into how LockBit extorted companies over months.
- ‘users’ Table: Contains credentials for 75 admins and affiliates, with all passwords stored in plaintext-a severe security oversight.
Cybersecurity researcher Michael Gillespie highlighted some of the leaked passwords, including “Weekendlover69,” “MovingBricks69420,” and “Lockbitproud231.”
In a Tox chat with Rey, LockBit’s public representative, LockBitSupp, confirmed the authenticity of the breach but claimed that no private keys were leaked and no operational data was permanently lost.
The defacement message used in the LockBit breach mirrors one used in a recent attack on Everest ransomware’s dark web site, suggesting a potential connection or common perpetrator behind the two incidents.
While no group has taken credit for the attack, the message’s tone implies a vigilante or rival actor targeting criminal operations.
Christiaan Beek, senior director, threat analytics at security vendor Rapid7, said: “Rapid7 is following reports that the LockBit ransomware group’s systems may have been hacked. While we’re still waiting for official confirmation, the leaked information looks real and has also been shared on Telegram.”
“In our analysis, we’ve observed that the leaked data includes:
- Private messages between LockBit and its victims
- Bitcoin wallet addresses (which could help law enforcement)
- Detailed information about victims, such as company websites, estimated revenue, and custom versions of the ransomware
“Looking at the leaked chats, we can see how aggressive LockBit was during ransom negotiations. In some cases, victims were pressured to pay just a few thousand dollars. In others, the group demanded much more: $50,000, $60,000 or even $100,000.”
This breach compounds the setbacks LockBit has faced in recent years. In 2024, Operation Cronos, a multinational law enforcement effort, dismantled much of LockBit’s infrastructure.
Authorities seized 34 servers, cryptocurrency wallets, 1,000 decryption keys, and the group’s affiliate panel.
LockBit had since managed to partially recover and resume activity, but this latest breach delivers another critical blow to its credibility and security posture.
Cybersecurity experts say the breach may cause ripple effects across the ransomware ecosystem. Past leaks of internal data have led to the unravelling of groups like Conti, Black Basta and Everest.