The notorious LockBit ransomware operation has experienced a serious security breach. Unknown actors have successfully hacked the group's dark web affiliate panels, replacing them with a defacement message that reads: "Don't do crime CRIME IS BAD xoxo from Prague."
The hacker has dumped the database SQL file after the breach, which reportedly occurred around April 29, 2025. The exposure of a Mysql database dump contains sensitive operational information.
On analysing the leaked database, Cyber Kendra identified multiple revealing tables, including one containing nearly 60,049 unique Bitcoin addresses and another with details of ransomware builds created by LockBit affiliates for specific attacks.
Perhaps most damaging is the exposure of 4,441 negotiation messages between the ransomware operators and their victims, spanning from 19 December 2024 to 29 April 2025. Additionally, a user's table revealed 75 administrators and affiliates who had access to the panel, with their passwords stored in plaintext – a significant security lapse.
There is a table named "pkeys" in the leaked database whose details have not been confirmed yet; this could be the decryption keys.
The intrusion method remains unconfirmed; however, according to the SQL dump file, the compromised server was running PHP 8.1.2, which contains a critical remote code execution vulnerability (CVE-2024-4577).
This breach follows the significant blow dealt to LockBit in 2024 when law enforcement's Operation Cronos dismantled much of their infrastructure, including servers hosting their data leak sites, cryptocurrency addresses, and decryption keys.
During the conversation with Rey, LockBit's operator, known as "LockBitSupp," confirmed the breach; they claim no private keys were leaked or data lost. Nevertheless, this incident represents another substantial hit to the group's reputation and operational security.
This pattern of security breaches among ransomware operations isn't unprecedented – similar leaks have previously affected other major ransomware groups, including Conti, Black Basta, and Everest. The cybersecurity community now watches closely to see if this latest exposure might prove decisive in diminishing LockBit's standing in the ransomware ecosystem.