LockBit, the notorious ransomware group, reportedly suffered a massive data breach on Wednesday. As per the report, the group’s dark web platform’s admin and affiliate panels were compromised to show a message and link to a MySQL database dump. The database reportedly contains 20 tables that include sensitive information around the cybercriminal group’s affiliate network, extortion tactics, details around malware builds, as well as nearly 60,000 Bitcoin addresses. Notably, this is the second time the ransomware group has been hacked, with the previous attack occurring in 2024.
LockBit Hack Reveal Insights Into The Gang’s Workings
The data breach was first spotted by X (formerly known as Twitter) user Rey, who posted a screenshot of the admin panel. All of the admin and affiliate panels were reportedly taken over to display the message, “Don’t do crime[.]CRIME IS BAD xoxo from Prague.” The text is followed by the MySQL link «paneldb_dump.zip.»
According to a BleepingComputer report, the link leads to a MySQL file containing a massive database. The data reportedly features 20 different tables, where some tables revealed information about how the ransomware group functioned, as well as its malware builds.
One of the tables, labelled “btc_addresses,” reportedly features as many as 59,975 unique Bitcoin addresses. Another “builds” table is said to feature individual malware builds that were created by the group’s affiliates. These are said to be different versions of the same ransomware that the group used to attack others. Some of the builds reportedly also mentioned the names of the targeted companies. This table is also said to feature public keys to the builds, but no private keys. Private keys are necessary to access the ransomware.
Apart from this, the database reportedly featured a “builds_configurations” that revealed information about different configurations used for each version of the malware. The most interesting information, however, was reportedly contained in the “chats” table.
The table is said to contain 4,442 negotiation messages between the LockBit ransomware operators and victims. The messages reportedly were dated between December 19, 2024 and April 29. This list highlighted different extortion techniques used by the gang.
Further, a “users” table reportedly revealed the names of 75 admins and affiliates of the group. These names were said to belong to individuals who had access to the panels. Additionally, the table also contained passwords used by the admins in plaintext.
In a separate post, Rey shared a conversation with a LockBit operator, who goes by the username “LockBitSupp”, confirming the data breach. The operator stated that the source code of the ransomware and private keys were not lost during the hack. The group or individual behind the LockBit hack is currently not known.
