In a surprising twist of fate, the LockBit ransomware group—once known for leaking victims’ data—has become a victim of a data breach itself. The group’s dark web affiliate panel was recently defaced and replaced with an unusual message: “Don’t do crime. CRIME IS BAD. xoxo from Prague.” Alongside the message was a link to a downloadable archive containing a MySQL database dump from the group’s internal systems.
The breach was first flagged by a threat actor known as “Rey,” and later verified through an analysis by cybersecurity outlet BleepingComputer. The leaked archive contains 20 database tables, shedding light on LockBit’s operations, affiliates, and communications.
Among the exposed data were nearly 60,000 Bitcoin wallet addresses, believed to be tied to ransom transactions or internal movement of funds. Another table revealed the ransomware builds created by various affiliates, some even naming their corporate targets. There were also configuration details specifying what to encrypt or avoid during attacks, such as skipping certain ESXi servers.
Perhaps the most revealing part of the leak is a chat log of over 4,400 negotiation messages exchanged between LockBit and its victims between December 2024 and April 2025. These conversations include ransom demands, victim responses, and discussions about payment deadlines.
Additionally, the database contains a user list of 75 affiliates and administrators. Shockingly, their passwords were stored in plain text, with examples including “Lockbitproud231” and “Weekendlover69”—a serious lapse in security for a group so focused on digital extortion.
The individual behind LockBit’s public persona, “LockBitSupp,” later confirmed the breach in a private chat with Rey. The operator said no decryption keys or vital operational information had been compromised in the incident. But experts say the collateral damage could still be enormous. Security researchers say there may have been a vulnerability in PHP version 8.1.2, which was being used on LockBit’s server at the time. This release of the product is known to have a severe bug (CVE-2024-4577), which provides bad actors with an opportunity to execute code remotely, a probable entry point for the attacker.
Interestingly, the defacement message on LockBit’s panel closely mirrors one used in a recent breach of the Everest ransomware group, hinting at a possible connection—though it remains unclear whether the attack came from rival criminals, hacktivists, or a state-backed entity. It isn’t the first time LockBit has been dealt a blow. The previous alarm was sounded in early 2024, when an international law enforcement operation, known as Operation Cronos, dismantled a large part of the group’s infrastructure, seizing 34 servers as well as crypto assets, and victims’ stolen data.
LockBit eventually managed to recover and resume activity, but this new breach could deliver another serious blow to its standing within the criminal underworld.
The exposure of its internal data could also affect how potential affiliates view the group. In a market where trust plays a crucial role between operators and partners, such leaks tend to be damaging to one’s reputation and future business deals.
This serves as another reminder, even the most sophisticated cybercriminal enterprises are susceptible to operational vulnerabilities. The same way ransomware gangs continue to adjust, the forces seeking to dismantle them—be it through formal prosecution or underground revenge—also continuously adapt.
