What happened
LockBit, one of the world’s most prolific ransomware gangs, has been hacked. An unknown attacker compromised the group’s affiliate control panel, defaced it with a message, “Don’t do crime CRIME is BAD xoxo from Prague,” and published a download link to an internal SQL database. The breach exposed the identities of 75 LockBit affiliates and admins, their plaintext passwords, and a wide range of sensitive operational data.
Going deeper
The leaked database, covering December 2024 to April 2025, reveals extensive insight into LockBit’s internal activities. It includes custom ransomware builds, victim profiles, estimated revenues, and 4,492 chat messages between LockBit and victims negotiating ransom payments. Also exposed were 59,975 Bitcoin addresses, encryption references, and a full list of victim organizations targeted during the five-month window.
The discovery was first shared by a threat actor named Rey on X (formerly Twitter) on May 7, 2025. According to Rey, LockBit’s ringleader, known online as LockBitSupp, confirmed the hack but claimed the ransomware source code and decryption tools were not affected. No company data appears to have been damaged in the attack.
The timing of the hack compounds LockBit’s woes. The group has been reeling from Operation Cronos, a coordinated global law enforcement effort announced in February 2024. The operation resulted in two arrests, 34 server takedowns, over 14,000 rogue account closures, and the seizure of more than 200 crypto wallets. Authorities also recovered decryption keys, allowing free recovery tools to be developed for past victims.
What was said
Security researchers have described the leak as a goldmine for understanding ransomware group operations. The defacement message, left in both this breach and a previous hack of Everest ransomware’s leak site, has fueled speculation about the attacker’s identity.
While some suspect a vigilante or hacktivist is behind the operation, others point to rival groups. One theory centers on DragonForce, a new ransomware cartel aggressively trying to recruit affiliates and dominate the ransomware-as-a-service ecosystem. DragonForce recently offered white-label infrastructure to other gangs and has been linked to attacks on high-profile UK retailers such as Marks & Spencer, Harrods, and the Co-op.
FAQs
What is LockBit, and why is it significant in the cybercrime world?
LockBit is a ransomware-as-a-service (RaaS) operation that enables affiliates to deploy custom ransomware in exchange for a profit share, making it one of the most active and damaging cybercrime groups globally.
How might this breach impact ongoing investigations into ransomware attacks?
The leaked data, including affiliate identities and negotiation logs, could provide law enforcement with evidence to link LockBit to past attacks and identify suspects.
What does this breach say about security practices within ransomware groups?
Ironically, it shows that even top-tier ransomware gangs may lack basic operational security, making them vulnerable to the same tactics they use against others.
Could this lead to a shift in the ransomware-as-a-service market?
Yes. The exposure may erode affiliate trust in LockBit, potentially driving them to rival groups like DragonForce and reshaping the power dynamics among cybercriminals.
Are organizations at risk if their information appears in the leaked database?
While no company data was leaked directly, victim names, ransom negotiations, and Bitcoin addresses may surface publicly, increasing reputational or legal risks for affected entities.
Farah Amod
