The LockBit ransomware gang has fallen victim to a significant data breach, exposing internal records and operations. The breach, which affected the group’s dark web affiliate panels, includes a MySQL database dump revealing sensitive information.
The defaced panels now display a message: “Don’t do crime CRIME IS BAD xoxo from Prague,” along with a link to download a file titled “paneldb_dump.zip.”
The breach was first identified by a threat actor named Rey, who found the archive containing 20 tables with crucial information about LockBit’s operations. Some of the most notable leaks include:
- ‘btc_addresses’: 59,975 Bitcoin addresses used for ransom payments.
- ‘builds’: Details of ransomware builds created by affiliates, some of which name targeted companies.
- ‘chats’: 4,442 negotiation messages between LockBit operators and victims, revealing extortion tactics.
- ‘users’: Credentials for 75 admins and affiliates, with passwords stored in plaintext.
Cybersecurity experts have pointed out that some of the leaked passwords were shockingly weak, like “Weekendlover69” and “Lockbitproud231.”
LockBit’s public representative, LockBitSupp, confirmed the breach but claimed no private keys or operational data were permanently lost. The message in the breach mirrors one used in a recent attack on the Everest ransomware group, suggesting a potential connection between the two incidents.
This breach adds to the setbacks LockBit has faced, following the dismantling of much of its infrastructure during Operation Cronos in 2024. The leak may have wider implications for the ransomware ecosystem, as similar leaks have previously led to the downfall of groups like Conti and Black Basta.
