LockBit, a notorious ransomware organization, experienced a significant data breach on Wednesday, exposing sensitive information from its operations. Reports indicate that the group’s dark web platform’s administration and affiliate panels were compromised, leading to a display message along with a link to a MySQL database dump. This database is said to include 20 tables containing critical data regarding the cybercriminal group’s affiliate network, extortion methods, malware builds, and nearly 60,000 Bitcoin addresses. This incident marks the second breach for LockBit, the first having occurred in 2024.
Details of the Hack Provide Insight into the Group’s Operations
The breach was initially discovered by X (formerly Twitter) user Rey, who shared a screenshot showcasing the admin panel takeover. All affected panels displayed a message stating, “Don’t do crime[.] CRIME IS BAD xoxo from Prague,” accompanied by the MySQL link “paneldb_dump.zip.”
A report from BleepingComputer confirm the existence of a vast MySQL file containing detailed operational data. Among the 20 tables, some provided insight into the organization’s functioning and the malware it developed.
One table, named “btc_addresses,” is reported to hold approximately 59,975 unique Bitcoin addresses. Another table labeled “builds” contains various malware iterations crafted by the group’s affiliates, including specific versions used in attacks. Some entries in this table even reference the names of targeted companies, although it lacks private keys necessary to access the ransomware.
Additionally, the database features a “builds_configurations” table that outlines different configurations utilized for each malware version. A particularly noteworthy segment can be found in the “chats” table.
This table reportedly comprises 4,442 negotiation exchanges between LockBit operators and their victims, spanning from December 19, 2024, to April 29. These conversations shed light on the various extortion strategies employed by the group.
Moreover, a “users” table disclosed the names of 75 individuals identified as admins and affiliates, revealing usernames and plaintext passwords used for access to the panels.
In a subsequent post, Rey shared a communication with a LockBit operator known as “LockBitSupp,” who acknowledged the breach. The operator confirmed that the source code for the ransomware and private keys remained secure. The identity of the individual or group behind this hack is still unknown.
