The notorious LockBit ransomware group has been dealt a significant blow after a cybersecurity breach revealed close to 60,000 Bitcoin addresses. This vulnerability arose when hackers infiltrated LockBit’s dark web infrastructure, leading to the defacement of its affiliate panels and the subsequent release of a vast array of internal data online.
This incident, identified on May 7, 2025, targeted critical components of LockBit’s operations, resulting in defaced affiliate admin panels and a leak of an extensive database of internal records.
Details of the Breach
So LockBit just got pwned … xD pic.twitter.com/Jr94BVJ2DM
— Rey (@ReyXBF) May 7, 2025
The attackers announced their presence with a message proclaiming, “Don’t do crime CRIME IS BAD xoxo from Prague,” and provided a downloadable MySQL database dump tagged paneldb_dump.zip.
After being first highlighted by threat actor Rey, cybersecurity professionals quickly began to analyze the breach, uncovering a wealth of information regarding LockBit’s operational framework.
A report from Bleeping Computer indicated that the leaked information encompasses extensive details about the group’s ransomware infrastructure. Most notably, it revealed 59,975 unique Bitcoin addresses believed to be associated with ransom payments, strategically assigned to individual victims to obscure the trace of illicit financial flows.
LockBit’s operator, known as “LockBitSupp,” has acknowledged the breach but claimed that no sensitive information or private keys were compromised.
The leaked data additionally contains meticulous records of ransomware builds crafted by LockBit affiliates, documenting both the technical parameters of various attacks and extensive chat exchanges, numbering over 4,400 negotiations between LockBit representatives and their victims.
Furthermore, compromised data included user credentials for 75 admins and affiliates who had access to the affiliate panel, with some passwords stored in plaintext.
The precise method through which LockBit was compromised remains unclear. However, Bleeping Computer has suggested potential parallels with a recent breach of the Everest ransomware group, hinting at the possibility of a common assailant or methodology.
The analysis indicated that the server was running on PHP version 8.1.2, known to have vulnerabilities such as CVE-2024-4577, which could have permitted remote code execution.
Impact on LockBit’s Operations
The ramifications of this breach are expected to be significant. For law enforcement and blockchain forensic teams, the leaked Bitcoin addresses provide a valuable tool to trace ransom payments and possibly identify individuals affiliated with LockBit.
This breach represents a substantial reputational setback for LockBit, which has already faced challenges from Operation Cronos, a coordinated international effort spearheaded by the U.S. Department of Justice and Europol. This operation temporarily dismantled parts of LockBit’s infrastructure in early 2024.
As a result of this crackdown, over 200 cryptocurrency accounts linked to LockBit activities have been frozen. Law enforcement has apprehended two LockBit members in Poland and Ukraine, while two affiliates are facing charges in the U.S. The U.S. Treasury’s OFAC has also blacklisted ten Bitcoin and Ether addresses related to the group, some of which are connected to deposits at exchanges including KuCoin, Binance, and Coinspaid, effectively prohibiting U.S. entities from engaging in transactions with the involved parties.
Key components of LockBit’s operational infrastructure, including their websites and negotiation panels, were seized during the early 2024 raids. More than 1,000 decryption keys were retrieved and are being distributed to victims to aid in accessing their encrypted data without the need for ransom payments.
Additionally, Rostislav Panev, a major developer behind LockBit’s tools, was arrested in Israel and awaits extradition to the U.S. Panev is accused of creating malware and software for the group, allegedly earning over $230,000 in cryptocurrency. His defense alleges ignorance regarding the tools’ use, but authorities contend that he played a pivotal role in facilitating the group’s operations.
Since its inception in 2019, LockBit has executed attacks against more than 2,500 victims across 120 countries, reportedly extorting over $120 million in ransom payments globally.
The post Hack Exposes Nearly 60,000 Bitcoin Addresses Linked to LockBit Ransomware Group appeared first on Finance Newso.
