LockBit ransomware gang hacked, exposing affiliate identities, chats, and bitcoin wallets

The LockBit ransomware group, one of the most notorious cybercrime operations in the world, has reportedly been hacked. The breach exposed a treasure trove of sensitive data, including affiliate identities, attack configurations, and nearly 60,000 bitcoin wallet addresses.

The group’s dark web control panels, which affiliates use to manage ransomware attacks, were defaced with the message:

“Don’t do crime. CRIME IS BAD. xoxo from Prague.”

The defacement also included a link to a downloadable file named paneldb_dump.zip, which contains what appears to be a full database dump of LockBit’s affiliate panel. Security researchers and cybersecurity journalists are now digging into the contents.

What was exposed?

The leaked database includes 20 tables, revealing detailed information about how LockBit operates and who’s been using its tools:

Bitcoin Wallets: Nearly 60,000 unique bitcoin addresses, likely used to receive ransom payments.

• Ransomware Builds: Custom configurations used for specific attacks including public keys, targeted companies, and instructions to avoid encrypting specific systems (like ESXi servers).

• Victim Negotiations: More than 4,000 chat logs between victims and LockBit operators, dating from December 2024 to April 29, 2025.

• Affiliate Information: A list of 75 users (admins and affiliates) who had access to the backend. Shockingly, many passwords were stored in plaintext, including examples like Weekendlover69, MovingBricks69420, and Lockbitproud231.

Who’s behind the hack?

It’s not yet clear who carried out the breach. However, the message left on LockBit’s site mirrors one used in a recent attack on another ransomware group, Everest, suggesting a possible link or repeat attacker.

In a chat with threat analyst Rey, the LockBit figure known as LockBitSupp confirmed the breach had occurred but claimed no private encryption keys or core data were lost.

Still, the breach is another significant blow to LockBit’s credibility. It comes after Operation Cronos last year, where law enforcement agencies took down 34 of the gang’s servers, seized data, cryptocurrency addresses, and exposed decryption keys.

What does this mean?

This kind of breach not only damages LockBit’s reputation but could also expose the identities of individuals involved in carrying out attacks - a serious concern for cybercriminals who operate under the assumption of anonymity.

While LockBit previously bounced back from law enforcement takedowns, it’s unclear if this latest leak could mark the beginning of the end. Other ransomware groups, like Conti and Black Basta, saw their operations fall apart after similar data leaks.