The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber extortion rings, has itself become the victim of a major cyberattack.
On May 7, attackers breached and defaced the group’s dark web sites, leaking a trove of operational data and internal chats in a stunning turn of events that sent shockwaves through the cybersecurity community.
Visitors to LockBit’s dark web portals were greeted by a defiant message: “Don’t do crime CRIME IS BAD xoxo from Prague,” along with a download link to “paneldb_dump.zip,” which contains what appears to be a comprehensive MySQL database dump.
.png
)
The attackers’ identity remains unknown, but their message leaves little doubt about their intent to embarrass and expose LockBit.
Security researchers have authenticated the data as real, describing the leak as a “goldmine for law enforcement.”
The exposed database includes about 60,000 unique Bitcoin wallet addresses allegedly used in ransom payments, nearly 4,500 negotiation chat logs between LockBit operators and their victims dating back to December, and details on custom-built ransomware variants for specific attacks.
Plaintext Passwords, Admin Details Exposed
The leak’s most damning content may be a user table containing plaintext passwords for 75 LockBit administrators and affiliates, a glaring security oversight for a group that specialized in breaching others.
According to Alon Gal, CTO and Co-Founder of Hudson Rock, the information “could significantly aid in tracing cryptocurrency payments and attributing attacks to specific threat actors.”
In the wake of the breach, LockBit sought to downplay the incident with a message in Cyrillic on their leak site.
The group insisted that only a “light panel” with autoregistration was compromised, and claimed that no decryptors or stolen company data were affected.
Attempting to turn the tables, LockBit offered a reward for information about the Prague-based hacker behind the attack.
The timing couldn’t be worse for LockBit, which was already reeling from Operation Cronos, a February 2024 global law enforcement operation that temporarily disabled its infrastructure.
While the group managed to bounce back, analysts noted that recent LockBit victim claims often recycled previous attacks.
Experts draw parallels between this breach and a recent attack on the Everest ransomware operation, both tied to a PHP 8.1.2 vulnerability (CVE-2024-4577) enabling remote code execution.
For LockBit-responsible for nearly 44% of ransomware attacks globally in early 2023-this breach is more than a setback.
The exposure of affiliates’ credentials and operational details could permanently damage the group’s credibility and cripple their future activities.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
