The notorious LockBit ransomware gang, still grappling with the fallout from a significant law enforcement takedown in early 2024, has been dealt another severe blow.
On May 7, attackers breached and defaced LockBit’s dark web affiliate panels, leaking a critical MySQL database that lays bare the group’s operational secrets. This latest security failure, as reported by BleepingComputer, exposed an alarming array of sensitive information: nearly 60,000 Bitcoin addresses, detailed configurations for affiliate ransomware builds, over 4,400 private victim negotiation chats, and, in a stunning display of poor operational security, plaintext passwords for 75 administrator and affiliate accounts.
Dark web affiliate panels of the LockBit ransomware gang were altered and replaced with a message linking to a MySQL database dump.
The defacement message left on dark web affiliate panels of LockBit by the attackers was a taunt: “Don’t do crime CRIME IS BAD xoxo from Prague”.
This breach not only further erodes LockBit’s already tarnished reputation within the cybercrime underworld but also provides a potential treasure trove of intelligence for global law enforcement agencies and victims.
The incident starkly highlights that even supposedly sophisticated ransomware operations can be undone by their own egregious security lapses, offering a crucial lesson for organizations worldwide about the ever-present threat landscape. For businesses and individuals, this serves as a potent reminder of the importance of stringent cybersecurity hygiene.
The attack follows “Operation Cronos”, an international law enforcement initiative in February 2024, which led to the public identification of Dmitry Yuryevich Khoroshev, also known as ‘LockBitSupp,’ as the alleged kingpin of the LockBit ransomware syndicate. Khoroshev was subsequently sanctioned, and a $10 million reward was offered for information leading to his capture. Despite that major disruption, LockBit had managed to regroup, making this new breach particularly damaging to their attempts at resurgence.
The interconnected nature of cybercrime further complicates efforts to dismantle their networks. The ongoing analysis of the freshly leaked LockBit data will undoubtedly provide more pieces to this complex puzzle.
Catastrophic OpSec Failure and Leaked Intel
The database, believed to have been exfiltrated around April 29th paints a damning picture of LockBit’s internal security practices. Security researcher Michael Gillespie pointed out the amateurish use of plaintext passwords like ‘Weekendlover69’ and ‘Lockbitproud231’.
The implications of the leaked data are far-reaching. The exposure of tens of thousands of Bitcoin addresses could significantly aid financial investigators in tracing LockBit’s illicit profits.
The 4,400 victim negotiation messages, spanning from December 2024 to April 2025, offer direct evidence of the group’s extortion methods. Moreover, the malware research collective VX-Underground announced on X that they are analyzing the dump.
This suggests the data could lead to the identification of more LockBit affiliates. Adding to LockBit’s woes, in the wake of the breach, the group’s primary data leak site has been experiencing intermittent outages.
Unraveling the Attack and Lingering Questions
While the identity of the attackers and their precise methods remain unconfirmed, the defacement message’s similarity to one used in a recent attack on the Everest ransomware group has fueled speculation about a possible link or a copycat. BleepingComputer also highlighted a significant vulnerability: the compromised LockBit server was reportedly running PHP 8.1.2, a version susceptible to the critical remote code execution flaw CVE-2024-4577.
LockBit’s operator, ‘LockBitSupp,’ reportedly acknowledged the breach in a Tox conversation with the threat actor ‘Rey’, who first spotted the defacement. However, LockBitSupp attempted to minimize the damage, claiming no private keys were lost—a statement that appears to be contradicted by the comprehensive nature of the leaked database.
A Pattern of Ransomware Takedowns and Evolutions
This incident is the latest in a series of disruptions affecting major ransomware operations. Groups like Conti and Black Basta have previously suffered from internal leaks and law enforcement actions. The cybercrime landscape is characterized by constant evolution, with new groups like VanHelsing emerging with sophisticated RaaS platforms, often mimicking the tactics of their predecessors but also learning from their mistakes—or, in LockBit’s case, failing to.
The increasing use of AI in cybercrime also presents an evolving challenge, such as in the case of emerging threat actor FunkSec, which relies on innovative use of artificial intelligence (AI) tools to assist in malware development. This trend of leveraging AI to enhance attack capabilities was further confirmed in a Google Threat Intelligence Group (GTIG) report in January.
