Introduction
LockBit [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], a notorious ransomware group [6] [9], has experienced a significant breach due to a cyberattack that compromised its dark web infrastructure. This incident has resulted in the exposure of critical internal data, including Bitcoin wallet addresses [3] [6], user credentials [6] [9], and ransom negotiation logs [9].
Description
LockBit [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], a notorious ransomware gang [6] [9], has suffered a significant breach following a cyberattack that compromised its dark web infrastructure. This incident has led to the exposure of critical internal data, including over 59,975 unique Bitcoin wallet addresses linked to ransom payments [6], approximately 76 user credentials stored in plaintext, and extensive ransom negotiation logs. The attackers exploited a critical vulnerability in PHP, tracked as CVE-2024-4577 [7] [9], to gain access to LockBit’s lightweight PHP-based platform.
On May 8, 2025 [4], data associated with LockBit was publicly displayed after a year-long investigation by international law enforcement [4]. A hacker from the group sent a message containing a download link for a 7.5 megabyte compressed file named paneldbdump.zip [4], which included an SQL database with data collected from December 2024 to April 29, 2025 [4]. The leaked database encompasses detailed chats between LockBit and its victims, documenting over 4,442 negotiation messages exchanged over several months. An SQL dump from the breach revealed victim names [9], communications [4] [9], and insights into the operational methods of ransomware groups [9]. The database contains 20 tables [3], including a “chats” table with extensive negotiation conversations, a “btcaddresses” table with over 59,975 unique Bitcoin addresses [8], and a “users” table detailing 76 admins and affiliates with access to the affiliate panel [8]. Additionally, there are “builds” and “builds_configuration” tables that document individual encryptor builds created by LockBit affiliates and their configurations. Notably, only 44 user accounts were linked to actual encryptor builds for LockBit affiliates [3], with 30 being active at the time of the dump [3].
LockBit’s main administrator [2], Dmitry Yuryevich Khoroshev [2], acknowledged the breach’s authenticity but maintained that only the management panel was compromised, asserting that no private keys or sensitive company data were lost. While the group confirmed that Bitcoin addresses and conversations were leaked, they emphasized that no sensitive data from affected companies was involved [4]. This breach represents a catastrophic failure for LockBit [6], which had built its reputation on technical prowess and operational security [6]. In response to the attack, LockBit has offered a bounty for information regarding the hacker and is investigating the intrusion method while maintaining operations of their main control panel and blog. The compromised server was running PHP 8.1.2 [10], which is known to be vulnerable to the aforementioned remote code execution flaw.
The exposure of Bitcoin addresses and operator credentials could aid law enforcement in tracing ransom payments and analyzing payment patterns linked to known wallets [1], while also providing valuable intelligence for prosecuting the group’s members [6]. Organizations previously targeted by LockBit may find useful information in the leak [6], potentially aiding in data recovery without paying ransoms [6]. This incident marks another setback for LockBit [1], which previously faced significant disruption during Operation Cronos in 2024 [1]. The exposure of sensitive operational data may force LockBit to rebuild its operation, if it can survive this incident [6]. Cybersecurity experts are analyzing the leaked data for further insights [6], while law enforcement agencies are likely using this information to build cases against LockBit members [6]. The ransomware ecosystem may experience temporary disruption as operators reassess their security measures in light of this breach [6].
Conclusion
The breach of LockBit’s infrastructure has significant implications for both the group and the broader ransomware ecosystem. The exposure of Bitcoin addresses and user credentials provides law enforcement with valuable tools to trace ransom payments and potentially prosecute members of the group. Organizations affected by LockBit may benefit from the leaked data, aiding in data recovery efforts without resorting to ransom payments. This incident underscores the importance of robust cybersecurity measures and may prompt a reevaluation of security protocols within the ransomware community. As cybersecurity experts and law enforcement continue to analyze the leaked data, the future operations of LockBit remain uncertain, potentially leading to a temporary disruption in the ransomware landscape.
References
[1] https://blockonomi.com/lockbit-ransomware-gang-hacked-60000-bitcoin-addresses-and-victim-negotiations-exposed/
[2] https://www.infosecurity-magazine.com/news/lockbit-ransomware-hacked-insider/
[3] https://securityaffairs.com/177619/cyber-crime/the-lockbit-ransomware-site-was-breached-database-dump-was-leaked-online.html
[4] https://www.cser.org/news/38879/
[5] https://www.abijita.com/lockbit-ransomware-gang-hit-by-major-data-breach-panel-defaced-and-data-leaked/
[6] https://www.security.land/lockbit-ransomware-group-suffers-major-breach-admin-database-exposed/
[7] https://www.techradar.com/pro/security/lockbit-ransomware-gang-gets-hacked-leak-exposes-negotiations-with-victims
[8] https://insight.scmagazineuk.com/data-breach-exposes-lockbit-ransomware-gang
[9] https://securityboulevard.com/2025/05/lockbit-ransomware-hacked-database-and-victim-chats-leaked/
[10] https://www.cyberkendra.com/2025/05/lockbit-ransomware-gang-hacked.html
