LockBit Ransomware Breach: 1 Major Website Hacked, Database and Bitcoin Keys Leaked

The LockBit ransomware group has been hacked by a mysterious actor claiming to be from Prague, leading to the leak of over 60,000 Bitcoin addresses, user credentials, and internal systems. Read the full story of one of the most damaging cyber reversals in ransomware history.

Introduction : A Stunning Turn of Events in Cyber Warfare

The well-known LockBit ransomware group has fallen victim to a hack, something that they have long done to numerous organizations and countries. On May 7, 2025, people claiming to be from Prague broke into the dark web of LockBit, messed up its affiliate management sites, and released thousands of sensitive pieces of information.

Among the revelations : The leak offers more than 59,000 Bitcoin addresses, more than 75 passes with no encryption, lots of chat records, and a database file from the group. Not only has the breach marked a big symbolic victory over one of the biggest ransomware groups in the world, but it also may impact their operations, sources of funding, and bonds within the gang.

Who Is LockBit? A Profile of Digital Infamy

LockBit is not like most other ransomware groups since it attracts so much attention. Ever since arriving on the scene in 2019, LockBit has proven itself to be one of the most dangerous and active ransomware-as-a-service (RaaS) operations. Since LockBit was run without a central authority, affiliates installed its ransomware payload to gain a share of the extorted ransoms.

Based on information by the U.S. Department of Justice and Europol, experts believe that LockBit has been involved in over 2,500 confirmed incidents in more than 120 different countries. They have also identified that LockBit has collected over $120 million in cryptocurrency from its victims within the healthcare and industrial sectors.

LockBit’s internal web interface | Source: SlowMist

Its dark web panels facilitated ransomware deployment, ransom negotiations, and affiliate communications—making the hijacking of these very systems a brutal blow from which the group may struggle to recover.

The Breach : CRIME IS BAD xoxo from Prague

Cybersecurity researchers and blockchain analysts were the first to notice abnormalities in LockBit’s infrastructure on May 7, 2025. The affiliate control panels hosted on the dark web were defaced with a mocking message:

Don’t do crime. CRIME IS BAD xoxo from Prague.

Accompanying the defacement was a downloadable file named paneldb_dump.zip, a MySQL database dump of LockBit’s internal admin and affiliate panel. Inside were thousands of files containing:

• 59,975 Bitcoin addresses
• Over 75 user credentials in plaintext
• Chat logs of over 4,400 ransom negotiations
• Records of ransomware builds used in various operations
• Possible payment trails, including a transaction originating from Coinbase

The hacker or group behind the breach has not formally identified themselves beyond the “Prague” reference, and no known hacking collectives have claimed responsibility.

Analysis of the Stolen Data

Analysts from SlowMist, a blockchain security firm, have begun to publicly dissect the breach. In a blog post released shortly after the event, they confirmed the authenticity of the MySQL dump and identified substantial vulnerabilities in LockBit’s backend systems.

Key findings included:

• Vulnerable PHP Backend: LockBit’s panel was reportedly running PHP 8.1.2, a version known to be susceptible to CVE-2024-4577, a remote code execution exploit.
• Ransomware Builder Logs: Detailed logs in the dump revealed the customized ransomware builders given to affiliates, showing variations used to target specific industries.
• Affiliate System Weaknesses: The affiliate credentials and associated plaintext passwords represent a major operational lapse, and further indicate poor security practices within the group.
• Financial Trails: With over 60,000 Bitcoin addresses exposed, blockchain forensics teams now have a chance to trace ransom payments, potentially tying wallet activity to real-world actors.

LockBit’s Reaction: Denial, Damage Control, and Bounties

In a public statement on its Telegram channel—written in Russian—LockBit acknowledged the breach but downplayed its impact:

Only the lightweight panel with an authorization code was breached. No decryptors were stolen, and no company data was affected.

While LockBit claims it protected things like the source code and passwords, the group openly says that this attack has damaged its reputation, especially with the people who work for the organization. In a twist of irony, LockBit is now putting out a reward for people who can tell them who is behind the attack on their servers, even though the U.S. State Department was before offering up to $15 million if someone could give info on who’s in charge of LockBit.

This contradiction has further damaged the group’s credibility, as hackers rarely offer bounties—except when desperate.

Global Law Enforcement Clampdown : Operation Cronos

This breach comes on the heels of Operation Cronos, a major international crackdown on LockBit in early 2024. Orchestrated by the U.S. Department of Justice, Europol, and law enforcement agencies in Poland, Ukraine, Israel, and the U.S., the operation:

• Seized key LockBit websites and infrastructure
• Recovered more than 1,000 decryption keys
• Froze over 200 cryptocurrency wallets
• Blacklisted 10 crypto addresses via OFAC
• Arrested LockBit developers and affiliates

One notable arrest was that of Rostislav Panev, a software engineer in Israel allegedly responsible for creating core components of the LockBit malware. He is currently awaiting extradition to the U.S., accused of building ransomware tools and receiving over $230,000 in cryptocurrency payments.

The Fallout: A Ransomware Giant on Shaky Ground

Reputation Erosion

In ransomware ecosystems, trust is everything. Affiliates—often skilled cybercriminals in their own right—choose to work with platforms that protect their anonymity, ensure payment, and maintain operational security. With LockBit’s internal systems compromised, it risks losing the loyalty and confidence of its affiliate base.

Loss of Operational Secrecy

Loss of operational secrecy occurs when confidential information is exposed, compromising strategies, missions, or systems due to breaches or negligence.

The release of 4,400 negotiation logs, ransomware builder templates, and user credentials means that law enforcement can now dissect LockBit’s inner workings like never before. This will likely lead to accelerated arrests and further sanctions.

Opportunities for Law Enforcement

The exposed Bitcoin addresses open up valuable tracking paths. Agencies like Chainalysis and Elliptic can use this data to map out transactional webs, identify laundering patterns, and unmask the individuals behind pseudonymous wallets.

Comparisons to Other Breaches: A Pattern Emerging?

Both the LockBit ransomware attack and the hack on Everest ransomware group had similarities, as both were handled by exploiting older versions of PHP. As a result, there is a chance that both parties will use the same method or weakness to disrupt and end the ransomware groups.

At this point, it is still not clear if the LockBit hack was carried out by a good-faith group, vigilantes, government agents, or rivals in the underground market. It is also possible that these weaknesses have been intentionally introduced by someone to weaken LockBit from the inside.

What Happens Next for LockBit?

As of now, LockBit claims to be in recovery mode, reassuring affiliates that services will resume and operations will continue. However, trust may be difficult to regain, especially in a cybercriminal world where opsec failures are often fatal.

Possible futures for LockBit include:

• Rebranding under a new name (as seen with REvil and Conti spin-offs)
• Splintering into smaller, harder-to-track subgroups
• Complete shutdown, though this is less likely unless core developers are captured

How This Changes the Cybersecurity Landscape

This breach offers a rare strategic victory for cybersecurity defenders and law enforcement, serving as a proof of concept that even the most fortified cybercriminal organizations are vulnerable to attack.

It also:

• Sends a message to ransomware groups: you can be hacked too.
• Creates actionable intelligence from the leaked data.
• Erodes trust in the ransomware-as-a-service model.
• Encourages other vigilantes or ethical hackers to strike at similar targets.

Conclusion: A Critical Turning Point in the War on Ransomware

The LockBit infection is not only poetic but is also an important step forward for those fighting against cyberattacks. Revealing the detailed workings of LockBit has both exposed the group to ridicule and possibly changed the direction of their future activities.

Regardless of whether the attack is done by the police, unauthorized hackers, or rival groups, it proves an important point: not even the people who commit cybercrimes are out of harm’s way.

As forensic investigators continue to work with the leaked database, we should see further announcements of more details, arrests, and outcomes. There is one thing we know for sure right now: The collapse of LockBit has caught the world’s attention.

Sources and Further Reading

• Bleeping Computer – LockBit Hack Report
• SlowMist Blockchain Forensics
• U.S. Department of Justice – LockBit Sanctions
• Europol – Operation Cronos

Wondering how to mine Ripple in 2025? While Ripple (XRP) can’t be mined like Bitcoin, this complete guide explains alternative methods to earn XRP, including staking, trading, and participating in XRP reward programs. Learn the best strategies, tools, and platforms to get started with Ripple coin in today’s evolving crypto landscape. Check here for full insights.