A breach of an administration panel used by the LockBit ransomware outfit resulted in the exposure of information that can be extremely valuable to law enforcement and the cybersecurity community.
The breach was discovered on May 7, when a domain linked with a LockBit administrator panel was vandalised to display the message "Don't do crime, crime is bad xoxo from Prague". The defaced page is also linked to an archive file containing information acquired from the stolen server.
The leaked data includes private messages exchanged between LockBit affiliates and victims, Bitcoin wallet addresses, affiliate accounts, attack specifics, and malware and infrastructure details.
Numerous cybersecurity specialists have examined the leaked data. The Bitcoin addresses could assist law enforcement, according to Christiaan Beek, senior director of threat analytics at Rapid7.
In addition, Luke Donovan, head of threat intelligence at Searchlight Cyber, stated how the leaked data could benefit the cybersecurity community. According to the expert, the leaked user data is most likely related to ransomware affiliates or administrators. In the publicly available data, Searchlight Cyber has found 76 entries, including usernames and passwords.
“This user data will prove to be valuable for cybersecurity researchers, as it allows us to learn more about the affiliates of LockBit and how they operate. For example, within those 76 users, 22 users have TOX IDs associated with them, which is a messaging service popular in the hacking community,” Donovan noted.
He added, “These TOX IDs have allowed us to associate three of the leaked users with aliases on hacking forums, who use the same TOX IDs. By analysing their conversations on hacking forums we’ll be able to learn more about the group, for example the types of access they buy to hack organizations.”
Searchlight Cyber discovered 208 chats between LockBit affiliates and victims. The messages, which stretch from December 2024 to April 2025, could be "valuable for learning more about how LockBit's affiliates negotiate with their victims". Indeed, Rapid7's Beek noted that the leaked chats illustrate how active LockBit affiliates were during the ransom negotiations.
“In some cases, victims were pressured to pay just a few thousand dollars. In others, the group demanded much more: $50,000, $60,000, or even $100,000,” Beek stated.
As for who is responsible for the LockBit hack, Searchlight Cyber's Donovan pointed out that the defacement message is identical to the message displayed last month on the compromised website of a different ransomware outfit, Everest.
“While we cannot be certain at this stage, this does suggest that the same actor or group was behind the hack on both of the sites and implies that this data leak is the result of infighting among the cybercriminal community,” Beek added.
On May 8, a statement released on LockBit's breach website admitted the vulnerability of an administration panel but minimised the impact, claiming that victims' decryptors and sensitive data were unaffected.
LockBitSupp, the mastermind behind the LockBit operation, identified by authorities as Russian national Dmitry Yuryevich Khoroshev, has stated that he is willing to pay for information on the identity of the attacker.
Law enforcement authorities across the globe have been taking steps to disrupt LockBit, but after inflicting a severe blow last year, the cybercrime operation remains operational and poses a threat to organisations.