LockBit hacked: What does the leaked data show?

The affiliate panel of the infamous LockBit Ransomware-as-a-Service (RaaS) group has been hacked and defaced, showing a link to a MySQL database dump ostensibly containing leaked data relating to the group’s operations:

The defaced dark web affiliate panel (Source: Help Net Security)

The breach has been confirmed by LockBitSupp – the creator, developer and administator of the LockBit ransomware group – who downplayed the attack by saying that decryptors, stolen company data, and the ransomware source code haven’t been compromised.

The dump of the backend MySQL database was apparently generated on April 29, 2025, and contains:

• Nearly 60,000 unique bitcoin addresses / wallets
• Custom versions of the ransomware created for specific attacks and the associated public keys
• Nearly 4,500 negotiation messages exchanged by the ransomware operators and victims
• A list of 76 affiliates (i.e., users of the affiliate panel)

The leaked data will help investigators

Speculation abounds on the person or group behind the breach, but in cybersecurity circles excitement can be felt due to the leaked data that – many have noted – looks to be legitimate.

“Early analysis of the data itself reveals that it is partly composed of ‘user data’ for the LockBit site, almost certainly relating to affiliates or administrators of the group. We have identified 76 users in the data, whose usernames and passwords are contained in the leak,” Luke Donovan, Head of Threat Intelligence at Searchlight Cyber, told Help Net Security.

“This user data will prove to be valuable for cybersecurity researchers, as it allows us to learn more about the affiliates of LockBit and how they operate. For example, within those 76 users, 22 users have TOX IDs associated with them, which is a messaging service popular in the hacking community. These TOX IDs have allowed us to associate three of the leaked users with aliases on hacking forums, who use the same TOX IDs. By analysing their conversations on hacking forums we’ll be able to learn more about the group, for example the types of access they buy to hack organizations.”

Christiaan Beek, Senior Director of Threat Analytics at Rapid7, noted that the negotiation messages show how aggressive LockBit is during ransom negotiations.

It’s unknown how many of those ransoms have been paid out, but the messages offer a peek into how LockBit’s affiliates negotiate with victims and show that LockBit affiliates attack organizations big and small.

“In some cases, victims were pressured to pay just a few thousand dollars. In others, the group demanded much more: $50,000, $60,000, or even $100,000,” Beek pointed out.

LockBit crippled but not crushed

The LockBit operation has suffered a major blow in 2024, when an international law enforcement operation (“Operation Cronos”) took over its dark web leak site and additional infrastructure.

The law enforcement action also led to the arrest and/or indictment of several LockBit affiliates in Poland, Ukraine and Russia, the freezing of over 200 cryptocurrency accounts linked to the group, and takedown of servers.

A few months later, the alleged identity of LockBitSupp was revealed and a few months after that, an individual was indicted for allegedly developing software for the ransomware group.

Though it was hit hard, the LockBit outfit obviously managed to weather that storm and continue operations and recruiting affiliates. Time will tell whether this latest blow will result in the threat actors ditching the LockBit brand and setting up a new criminal outfit.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!