The LockBit ransomware gang has suffered a serious data breach, exposing internal operations, affiliate builds, negotiation chats, and even administrator credentials. The breach comes just months after law enforcement’s Operation Cronos attempted to dismantle LockBit’s infrastructure.
This latest breach, first noticed by threat actor “Rey,” appears to involve a full defacement of LockBit’s dark web affiliate panel. Instead of the usual login interface, all admin panels now display the message:
“Don’t do crime. CRIME IS BAD. xoxo from Prague”
Along with this message is a link to a downloadable archive: paneldb_dump.zip, which contains a MySQL dump of LockBit’s affiliate portal.
What the Leaked Database Reveals
BleepingComputer, which analyzed the dump, reports that the archive includes 20 MySQL tables from LockBit’s backend database. These shed unprecedented light on the gang’s internal mechanics:
-
btc_addresses: Contains nearly 60,000 unique Bitcoin addresses potentially used for ransom transactions. -
builds: Reveals custom ransomware builds created by affiliates, listing public keys and targeted companies. -
builds_configurations: Details the configuration settings for attacks, including instructions to avoid encrypting ESXi servers or specific file types. -
chats: Perhaps the most damning, this table includes 4,442 negotiation messages between affiliates and victims from December 19, 2024, to April 29, 2025. -
users: Lists 75 admin and affiliate usernames with plaintext passwords, including examples like “Weekendlover69” and “Lockbitproud231.”
Notably, security researcher Michael Gillespie confirmed that passwords were stored insecurely in plaintext, revealing serious operational sloppiness within the gang’s infrastructure.
Technical Weakness & Suspected Exploit
While the exact identity of the attackers remains unknown, analysts suggest a strong possibility that CVE-2024-4577, a remote code execution vulnerability in PHP 8.1.2, was used to breach LockBit’s servers. This critical vulnerability has been actively exploited since its disclosure and would have given attackers access to server resources, including databases.
The defacement message also matches one used in a recent breach of Everest ransomware’s dark web portal, suggesting a possible common adversary — perhaps a vigilante group or rival actors targeting ransomware gangs.
A Reputational Crisis After Operation Cronos
In 2024, Operation Cronos, a global law enforcement initiative, successfully took down 34 of LockBit’s servers and seized decryption keys, stolen data, and cryptocurrency wallets. While LockBit managed to rebuild its infrastructure, this new breach highlights the fragility of its resurrection.
The group’s operator, LockBitSupp, acknowledged the incident in a Tox conversation with Rey but insisted that no private keys or critical data were lost. However, with the affiliate system now public, containing evidence of victims, payment flows, and poor security practices, the damage may be irreversible.
The Bigger Picture: Crumbling Trust in RaaS Platforms
LockBit’s compromise comes amidst a broader collapse in trust among Ransomware-as-a-Service (RaaS) platforms. Following the disappearance of RansomHub and takedowns of ALPHV and BlackCat, affiliates are increasingly cautious. The data leak could deter cybercriminals from partnering with LockBit, seeing the gang as both insecure and compromised.
Whether this breach marks the end of LockBit remains uncertain. But it clearly demonstrates that even the most notorious ransomware groups are not immune to the same cyber vulnerabilities they exploit — and that the walls are closing in.