The LockBit ransomware site was breached, database dump was leaked online

Pierluigi Paganini May 08, 2025

Lockbit ransomware group has been compromised, attackers stole and leaked data contained in the backend infrastructure of their dark web site.

Hackers compromised the dark web leak site of the LockBit ransomware gang and defaced it, posting a message and a link to the dump of the MySQL database of its backend affiliate panel.

“Don’t do crime CRIME IS BAD xoxo from Prague,” reads the message published on the group dark web leak site.

The LockBit operator ‘LockBitSupp’ confirmed the data breach in a private conversation with the threat actor Rey, however, he said that no private keys were leaked or data lost.

Original Image: pic.twitter.com/ppK8pj0qGW
— Rey (@ReyXBF) May 7, 2025

BleepingComputer analyzed the leaked database and reported that it has 20 tables, including BTC addresses, builds with target names, build configurations, 4,442 victim chat logs, and user data with plaintext passwords.

“A ‘chats‘ table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th.” states BleepingComputer.

Researchers noticed that only 44 user accounts are associated with actual encryptor builds for LockBit affiliates, among which 30 were active at the moment of the dump.

As said, only 44 user accounts are associated with actual encryptor builds, among which 30 were actually active at the moment of the dump.
That's your number of active #LockBit affiliates by then. Now, who are they and how active were they? 🤔 pic.twitter.com/sYilI2BjXU
— Valéry Rieß-Marchive | @valerymarchive.bsky.social (@ValeryMarchive) May 8, 2025

The Italian cyber security expert Emanuele De Lucia extracted the 60k+ addresses in the dump and argued that the presence of a large number of private keys, linked to specific build configurations or victims (via build_id) suggests these are the actual key data. This data could be critical for developing universal or victim-specific decryption tools.

De Lucia added that the chat logs show a significant range in the initial ransom amounts demanded (from $50,000 to at least $1,500,000). The ransomware gang demands are tailored based on the perceived value of the victim.

The top victim TLDs are:

.et (Ethiopia)
.co (Colombia)
.jp (Japan)
.br (Brazil)
.tw (Taiwan)
.ph (Philippines)
.fr (France)

“Finally, this is a rich source of operational and technical intelligence. Its contents enable a deeper understanding of the threat actor’s capabilities and methods (i.e. FortiVPN is reported as an initial access point) and infrastructures.” said De Luci

The attacker behind the breach is still unknown, but the defacement message matches a recent Everest ransomware hack, hinting at a possible link between the two defacements.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit ransomware)

Pierluigi Paganini July 27, 2025

Allianz Life data breach exposed the data of most of its 1.4M customers

Pierluigi Paganini July 27, 2025