Skip to content
- Nearly 60,000 Bitcoin addresses connected to LockBit ransomware were leaked.
- Hackers breached LockBit’s dark web affiliate panel and exposed key data.
- The leaked data reveals internal operations, user info, and negotiations with victims.
LockBit, a well-known ransomware group, has suffered a major data breach. Unknown hackers took control of its dark web affiliate panel and exposed sensitive data, including information related to Bitcoin transactions and wallets. They defaced the admin panel and added a message mocking the group. The message also linked to a database dump.
Exfiltrated archive has records from the MySQL database of Lockbit. Analysts verified that the leak comprises almost 60,000 individual Bitcoin addresses, which they suspect are used for ransomware payments. The hackers even got some sensitive tables containing details on how Lockbit operated.
This attack occurred months after law enforcement cracked down on LockBit back in 2024. That operation brought down 34 servers, stole decryption keys, and exposed tools for LockBit. This did not deter them from building back, but their latest hit may prove detrimental to them.
Custom Builds and Bitcoin Targets Exposed
The leaked SQL file reveals a lot, as it contains a table with 75 login details for admins and affiliates, including several weak passwords in plaintext form. Some of those names are the credentials “Weekendlover69” and “Lockbitproud231,” which point to weak basic security controls.
Another table lists ransomware builds, which affiliates used in the attacks. The records also identify company names targeted with some of those builds. Additionally, the table displays configuration options for the attacks, indicating which files or servers the attackers tried to bypass.
Most telling of all is the history of chats. Authorities publicly released over 4,400 messages exchanged between the perpetrators and the victims. The perpetrators and victims sent these messages between December 2024 and late April 2025. The messages offer a glimpse into how they conducted the negotiations, covering timelines, demands, and the resulting outcomes.
PHP Flaw May Have Exposed LockBit’s Server
It’s unclear how the panel of LockBit was hacked, but some clues exist. The SQL dump indicates that the server had PHP version 8.1.2 running on it. That version has a serious vulnerability, CVE-2024-4577. The vulnerability may allow hackers to run code remotely.
Incidentally, the vandalized message is reminiscent of one that appeared in a recent attack on fellow ransomware group Everest. Either the same group of hackers perpetrated it, or groups may be following a trend of attacking ransomware gangs.
While previous hits on LockBit had seen them recover, this leak is unlike those. It reveals how vulnerable even the most notorious crime networks are. Whether that signals their demise is unclear, however. At present, the reputational hit is devastating and out there for everyone to see.
Related Reading: Dormant Bitcoin Wallets Move $324.2M: A Sign of Major Market Shift?
