The Ransomware Lockbit group was struck by a cyber attack that has exposed its internal operations. Nearly 60,000 Bitcoin portfolio addresses associated with the group's activities have been disclosed, as well as thousands of victims communications and detailed files of its backend infrastructure.
The breach, noticed by the cybercriminal researcher for the first time on Wednesday evening, occurred at the end of April 2025. The Darkbit Dark Web affiliation panels were defused, replaced by a message that said: “Do not do the crime. The crime is bad Xoxo de Prague “, with a link to a MySQL database database entitled” Pannedb_dump.zip “.
So lockbit has just done Pwned… xD pic.twitter.com/jr94bvj2dm
– Rey (@reyxbf) May 7, 2025
“A basic analysis of the database indicates that emptying was created around April 29, which suggests that Lockbit was compromised no later than this date and subsequently on May 7,” confirmed Rey.
Exposure to data in the panel emptying
According to Rey, quoting an analysis of the publication of Cybersecurity Bleeping Compompute, there were approximately 20 tables in the database disclosed, including a 'BTC_Address' table which listed 59,975 Bitcoin portfolio addresses connected to the Rançon de Lockbit.
Other notable data in the leak include a “builds” table, which details the useful loads of ransomware created by Lockbit affiliates. The table includes public encryption keys and, in some cases, names of targeted companies.
The “Builds_Configurations” table has shown which affiliated files or servers have configured their attacks to avoid or encrypt, and several other operational tactics used in previous ransomware campaigns.
As a table nicknamed “cats” shows, there were more than 4,400 negotiation messages between the affiliates of Lockbit and the victims, from December 19, 2024 to April 29, 2025.
– ransom-db (@ransom_db) May 8, 2025
The emptying also exhibits a “user” table liable to 75 administrators and lockout affiliates with access to the group's backend panel. The security detectives were shocked to discover that the user passwords were stored in clear text.
Cybersecurity researcher Michael Gillespie mentioned some of the passwords on display, including “Weekendlover69”, “Movingbricks69420” and “LockbitProud231”.
Lockbitsupp, an operator known to the Lockbit group, confirmed in a Tox conversation with Rey that the violation was real. However, the operator insisted that no private key or critical data had been lost.
Lockbitsupp response (this is a translated image): pic.twitter.com/l54g1a5hxz
– Rey (@reyxbf) May 7, 2025
Alon Gal, technology director at Hudson Rock, said data also includes personalized ransomware builds and decryption keys. According to GAL, if they are verified, the keys could help some victims recover their data without paying a ransom.
Operate the server vulnerabilities
An analysis of the SQL emptying revealed that the assigned server executed PHP 8.1.2, a vulnerable version with a defect identified as “CVE-2024-4577”. The vulnerability allows the execution of the remote code, which explains how the attackers were able to infiltrate and exfiltrate Lockbit backend systems.
Security professionals believe that the style of the degradation message can connect the incident to a recent violation of the Everest ransomware site, which used the same “crime is bad”. The similarity suggests that the same actor or group can be behind the two incidents, although no clear attribution has been confirmed.
The pirates behind the breach did not come forward, but Kevin Beaumont, a safety attire in the United Kingdom, said that the DragonForce group could be responsible.
“Someone hacked Lockbit. I'm going to guess Dragonforce,” he wrote on Mastodon.
According to the BBC, DragonForce was involved in several cyber attacks on British retailers, including Marks & Spencer, Co-OP and Harrods.
In 2024, Cronos operationA multinational effort led by the United Kingdom involving agencies for the law of the law of ten countries, including the Federal Bureau of Investigation (FBI) temporarily stopped Lockbit's activities, although the group has finally resurfaced.
The operation would have removed 34 servers, confiscated cryptographic wallets and discovered more than 1,000 decryption keys.
The police consider that lockbit operators are based in Russia, a jurisdiction that would be difficult to bring them into court. Ransomware gangs center their operations within Russia's borders, because direct arrests are almost impossible.
Thread difference cresure Help the crypto brands to unravel and dominate the headlines quickly
