The LockBit ransomware group has itself fallen victim to a data breach after its affiliate panels on the dark web were hacked and provided with a message containing a link to a MySQL database dump.
All of the group’s management pages now display the text: Don’t commit crimes. Crimes are bad. Greetings from Prague. The text is accompanied by a download link for a file named paneldb_dump.zip.
Threat actor Rey was the first to notice this. The zip file contains an SQL file with a dump of the affiliate panel’s MySQL database.
Sixty thousand unique Bitcoin addresses
According to an analysis by BleepingComputer, this database contains twenty tables. Some of these are particularly interesting. For example, there is a table with almost sixty thousand unique bitcoin addresses. Another table lists the individual malware builds that affiliates created for attacks. In some cases, the names of targets are also mentioned. The configurations for these builds are also stored, such as which ESXi servers had to be skipped or which files had to be encrypted.
One notable table contains 4,442 messages from negotiations between LockBit and their victims, sent between December 19 and April 29. A user list also contains 75 administrators and affiliates who had access to the panel. Security expert Michael Gillespie discovered that the passwords were stored in plain text. Some examples are Weekendlover69, MovingBricks69420, and Lockbitproud231.
In a conversation with Rey via Tox, LockBit operator LockBitSupp confirmed that the leak is real. According to him, no private keys or data were lost. Based on the time the MySQL file was created and the last negotiation message in the database, the dump appears to have been made on April 29, 2025.
Connection to Everest ransomware group
Who carried out the attack and how exactly is still unknown. However, the message on the hacked page matches that of a recent attack on the dark web site of the Everest ransomware group, which could indicate a connection. The SQL dump also shows that the server was running PHP 8.1.2. That version contains a critical security vulnerability (CVE-2024-4577) that is actively being exploited to remotely execute code on servers.
In 2024, LockBit was already hit hard by Operation Cronos, an international police operation that seized 34 servers, stolen data, crypto addresses, a thousand decryption keys, and the affiliate panel. Although LockBit managed to recover and become active again, this new incident is another serious blow to the group’s already damaged reputation.
It is still too early to say whether this spells the end for LockBit, but the damage is mounting. Other ransomware groups that have previously experienced similar data breaches include Conti, Black Basta, and Everest.