In a dramatic twist, the LockBit ransomware operation—one of the most notorious cybercrime syndicates—has been hacked, leading to the leak of highly sensitive data that could benefit law enforcement and cybersecurity researchers alike.
The breach came to light on May 7 when a domain tied to a LockBit admin panel was defaced. The defaced site featured a blunt message: “Don’t do crime, crime is bad xoxo from Prague.” Alongside the message was a download link to a data archive allegedly pulled from the compromised server.
This wasn’t just digital graffiti. The leaked archive reportedly contains a treasure trove of intelligence: private chats between affiliates and victims, Bitcoin wallet addresses, detailed attack logs, and even malware infrastructure data.
Cybersecurity professionals quickly jumped on the leaked files. Christiaan Beek, senior director of threat analytics at Rapid7, emphasized that the exposed Bitcoin addresses could offer law enforcement new leads for tracking LockBit’s financial trails. Meanwhile, Luke Donovan, head of threat intelligence at Searchlight Cyber, noted that 76 user records—complete with usernames, passwords, and TOX messaging IDs—could reveal the identities and tactics of LockBit affiliates.
According to Donovan, TOX IDs are commonly used in underground hacker circles. His team has already linked three leaked TOX profiles to known hacker forum aliases. These connections could help analysts better understand how LockBit’s network functions, including how affiliates acquire initial access to compromised systems.
The leaks also included 208 conversations between affiliates and victims, spanning December 2024 to April 2025. These messages offer rare insights into the ransomware negotiation process. Rapid7’s Beek pointed out the varied ransom demands, with some victims pressured to pay as little as a few thousand dollars, while others were hit with demands of up to $100,000.
Donovan also observed that the same taunting message defaced a rival ransomware group’s site—Everest—just weeks earlier. This suggests the same actor may be behind both attacks and hints at potential turf wars or internal sabotage among cybercriminals.
In response, LockBit’s spokesperson confirmed the breach of one of its admin panels but tried to minimize the damage. According to a statement posted on their leak site on May 8, no decryption keys or sensitive victim data were compromised. Still, the mastermind known as “LockBitSupp”—believed by authorities to be Russian national Dmitry Yuryevich Khoroshev—is now offering a bounty for anyone who can identify the attacker.
Despite international efforts to dismantle LockBit—including a major crackdown last year—the ransomware group remains active. This latest breach might be a setback, but the cybercrime operation continues to pose a significant threat to businesses and governments worldwide.
