The LockBit ransomware group, one of the most notorious and feared cybercriminal gangs, has fallen victim to its own game. In a surprising turn of events, their attackers defaced the dark web panels used by LockBit’s affiliates and replaced them with an unexpected message: “Do not commit crimes. CRIME IS BAD. Hugs and kisses from Prague.”
Along with the message, a link was provided leading to a full dump of a MySQL database. As a result, nearly 60,000 Bitcoin addresses and a large amount of LockBit’s internal data were exposed to the public. This attack not only highlights that no cybercriminal is untouchable, but also offers an unprecedented glimpse into the inner workings of one of the most sophisticated criminal organizations in cyberspace.
LockBit Dark Web Site Defaced with Link to Database
Additionally, there was a link to download a file named paneldb_dump.zip, which was actually a complete copy of the MySQL database used by LockBit in its backend system.
What Was Found in the LockBit Panel Leak?
Although nearly 60,000 Bitcoin addresses were published, a LockBit representative claimed that no private keys or other sensitive data were compromised. In a conversation over Tox with Rey, the operator known as LockBitSupp admitted they had been hacked but insisted that the private keys and critical information remained secure.
According to BleepingComputer’s initial analysis, the leaked database contained 20 tables, including:
-
One with 59,975 unique Bitcoin addresses used to receive ransom payments.
-
A builds table, showing customized versions of the ransomware, some even bearing the names of the attacked companies.
-
A chat table, which stored 4,442 negotiation messages between LockBit and its victims, exchanged between December 2024 and April 2025.
-
A users table containing data for 75 affiliates and administrators, including usernames and plaintext passwords with amusing choices like Weekendlover69 and MovingBricks69420.
One important note: although the Bitcoin addresses were exposed, no private keys were leaked, meaning the addresses can be analyzed—but not accessed.
Read more: Mexico Leads Cyberattacks in the Financial Sector in Latin America
What Came to Light in the Leaked LockBit Chats?
The leak also included over 4,000 timestamped chat messages between LockBit operators and their victims. These conversations spanned from December 2024 to April 2025 and revealed how the group handled negotiations over time. All chats took place through LockBit’s affiliate panel and included discussions about pricing, file recovery, and payment methods.
Key Revelations from the Chats
- Ransom demands varied widely. Some victims faced demands of just a few thousand dollars, while others were quoted amounts exceeding $150,000, based on what LockBit believed they could afford.
- Bitcoin wallets and payments. Many conversations included Bitcoin addresses and transaction details, allowing for tracking of the funds’ movement.
- Negotiation was part of the process. Victims often tried to lower the demanded amount, and in some cases, LockBit agreed to discounts or even allowed payments in installments.
- They offered technical support. LockBit promised to provide decryptors and even instructions, particularly for Windows systems and ESXi servers.
- Desperate victims. Many messages showed victims’ fear, with some expressing concern about losing their jobs or pleading for compassion.
- Predefined responses. In several instances, LockBit used copy-pasted replies, suggesting they used templates or even automated responses to save time.
How Was LockBit Hacked?
It’s still unknown who was behind the attack, but there are clues pointing to a connection with another hack similar to the one suffered by the Everest ransomware group, where the same message was used to deface websites.
In 2024, a major police operation called Operation Cronos successfully took down LockBit’s infrastructure. Thirty-four servers were seized, which hosted their data leak site, backups, stolen victim information, cryptocurrency addresses, around 1,000 decryption keys, and even their affiliate panel.
Although LockBit managed to recover and resume operations after that blow, this latest leak represents another severe setback for a reputation that was already heavily tarnished.
It’s still too early to tell if this new hit will be the final one that takes them down, but it has undoubtedly left them reeling. It wouldn’t be the first ransomware gang to fall after such leaks—other groups like Conti, Black Basta, and Everest have faced similar situations.
