LockBit, a leading ransomware syndicate, has had its data exposed following a hack. Attackers leaked nearly 60,000 Bitcoin addresses and over 4,400 negotiation messages. The breach came from the group’s affiliate panel database, which was compromised on April 29, 2025.
Details of the Leaked Information
Security researchers at BleepingComputer analysed the dump. They found a table named “btc_addresses” with 59,975 unique wallet addresses.
Another table, “chats,” held 4,442 messages exchanged between LockBit affiliates and their victims from December 19 to April 29. These messages include ransom demands, payment instructions, and back‑and‑forth bargaining.
Affiliate Panel Exposed
The SQL archive included 20 tables in all. A “builds” table lists the custom malware builds created by affiliates, complete with public keys and attack targets in some cases.
A “builds_configurations” table showed details on which servers to avoid and which files to encrypt. The “users” table revealed 75 admin and affiliate accounts.
Shockingly, passwords were kept in plain text. Examples included “Weekendlover69” and “Lockbitproud231,” highlighting poor security practices.
LockBit’s Response
In a private Tox chat picked up by researcher Rey, LockBit’s operator “LockBitSupp” confirmed the leak. They insisted that no private keys or victim data were stolen, only information from their own panel.
The group even left a taunting message on its admin pages reading, “Don’t do crime CRIME IS BAD xoxo from Prague.”
Possible Cause of the Breach
It remains unclear who carried out the attack or how they accessed the panel. However, the defacement message matches one used in a recent breach of the Everest ransomware site.
That similarity suggests the same threat actor may be involved. The server behind the panel ran PHP 8.1.2, which is vulnerable to CVE‑2024‑4577, a critical flaw that allows remote code execution.
Operation Cronos and LockBit’s Past Takedown
Last year, law enforcement launched Operation Cronos to dismantle LockBit’s infrastructure. Authorities seized thirty‑four servers, took down the group’s data leak website, and recovered stolen files, decryption keys, and affiliate records.
LockBit rebuilt quickly, though, and resumed attacks within weeks. This latest incident adds another setback to the gang’s shaken operations.
Impact on Ransomware Landscape
LockBit has long offered Ransomware‑as‑a‑Service, giving affiliates the tools to launch attacks in exchange for a share of the proceeds. Victims pay in Bitcoin or Monero, then rely on decryption keys or risk public exposure of data.
Affiliates use mixers and privacy coins to launder funds. With so much of their data exposed, LockBit’s affiliates may face greater scrutiny or even fallout from mistrust within the network.
Other Groups Hit by Leaks
LockBit is not alone in suffering reversals. Competing gangs such as Conti, Black Basta, and Everest have also endured data leaks that exposed their tactics and internal communications.
These exposures have helped defenders develop countermeasures and track criminal infrastructure.
The leak of LockBit’s affiliate panel marks a rare turn of events where a ransomware gang becomes the victim. With private messages, wallet addresses, and poor security practices laid bare, the breach could undermine affiliates’ confidence and disrupt future attacks.
Also Read: Mosca Contract on BNB Chain Faces Suspicious Security Hack