By Ashwani Mishra, Editor-Technology, 63SATS Cybertech
In a remarkable twist of fate, the LockBit ransomware group—once feared as one of the world’s most prolific and destructive cyber extortion syndicates—has fallen victim to a cyberattack of its own.
On May 7, 2025, the dark web portals of LockBit were breached, defaced, and ultimately exposed.
A Bold Breach from the Shadows
Visitors to LockBit’s dark web affiliate panel on Tuesday were met not with the usual ransomware negotiation interface, but with a mocking message:
“Don’t do crime. CRIME IS BAD. xoxo from Prague”
The message was accompanied by a link to a file titled paneldb_dump.zip, containing what appears to be a full MySQL database dump of LockBit’s internal operations.
The breach, confirmed by multiple cybersecurity experts and first analyzed by BleepingComputer, included a staggering amount of operational data. Among the revelations were:
A database of 60,000 unique Bitcoin addresses, likely linked to ransom transactions.
Logs from 4,500 negotiation chats between LockBit operatives and victims, some stretching back as far as December 2023.
Technical data on custom malware builds, including specific instructions for targeting infrastructure like ESXi servers and excluding certain file types.
Anatomy of the Leak
What makes this breach particularly devastating for LockBit is not just the volume of data—but its sensitivity. The database includes a user table containing plaintext passwords for 75 LockBit administrators and affiliates. For a group that has spent years exploiting weak passwords and credential leaks, this oversight is ironic, if not embarrassing.
Security researchers have verified the legitimacy of the leak, with one calling it a “goldmine for law enforcement” seeking to dismantle the infrastructure of ransomware cartels. The dump not only offers a peek into the group’s financial trail, but also a forensic look into its inner workings—from malware development to affiliate coordination.
Even more damaging, some of the stolen builds include victim names and ransom details, allowing for a retrospective look at LockBit’s most high-profile attacks.
LockBit has long operated as a Ransomware-as-a-Service (RaaS) platform, enabling affiliates to deploy custom ransomware tools while sharing profits with the group’s core leadership. Since its emergence in 2019, the group has been linked to attacks on hospitals, manufacturing plants, financial institutions, and government agencies worldwide.
Its reputation peaked with high-profile strikes like the Royal Mail hack in the UK and major disruptions in the healthcare sector across North America. Yet, despite surviving previous takedown efforts—most recently the international Operation Cronos in February 2024—LockBit appeared to maintain momentum.
Until now.
Strategic Blow to the Ransomware Ecosystem
This breach deals a critical blow not only to LockBit but to the wider ransomware economy. Affiliate trust, already shaken by law enforcement interventions and increased scrutiny, is now likely in freefall. The revelation that LockBit stored plaintext passwords and failed basic operational security could further erode the group’s influence in underground forums.
What Comes Next?
It remains unclear who orchestrated the attack on LockBit—whether it was a rival gang, vigilante hackers, or a covert law enforcement operation. The mocking tone and Prague signature hint at non-governmental actors, though no group has formally claimed responsibility.
Regardless of attribution, the implications are significant: the hunter has become the hunted.
Final Thoughts
For years, LockBit preyed on the digital weaknesses of organizations around the globe. This week, those tables have turned.
In the war against ransomware, this breach may mark a turning point.
