The LockBit ransomware group has suffered a new blow after its dark web infrastructure was breached and defaced. A message mocking the gang: “Don’t do crime CRIME IS BAD xoxo from Prague” replaced its affiliate panel, with a link to download a full MySQL database dump. The leak exposes key internal tables, including nearly 60,000 Bitcoin addresses, attack build configurations, and 4,400 victim negotiation messages.
The affiliate panel also contained plaintext passwords used by 75 affiliates and admins, such as “Weekendlover69” and “Lockbitproud231”. The attacker behind the breach remains unidentified, though the signature resembles a recent hack against Everest ransomware.
Analysis from our experts:
This breach puts LockBit in the uncomfortable spotlight once again, and the implications are twofold: operational exposure and reputational erosion. From a technical perspective, the presence of plaintext passwords and a vulnerable PHP version (CVE-2024-4577) speaks to poor internal hygiene, an ironic twist for a group that prides itself on technical prowess. Strategically, the leak of negotiation messages provides rare insight into victim extortion tactics and the affiliate ecosystem.
Whether this marks the downfall of LockBit or merely a pause depends on the group’s ability to rebuild trust within its affiliate network, a task far more difficult when your back-end code is public and your passwords read like a teenager’s gaming handle.
Read the full article here.
