The compromise was discovered on May 7, when a domain linked to LockBit’s admin panel was defaced with a message reading: “Don’t do crime, crime is bad xoxo from Prague.” The defacement also included a link to an archive containing data exfiltrated from the server.
The leaked archive exposes internal data, including private communications between LockBit affiliates and their victims, Bitcoin wallet addresses, affiliate login credentials, attack records, malware-related information, and the group’s infrastructure details.
Cybersecurity experts who reviewed the leaked data believe it offers significant insight into LockBit’s operations. Christiaan Beek, Senior Director of Threat Analytics at Rapid7, highlighted that the exposed Bitcoin wallet addresses could aid law enforcement in tracing ransom payments.
Luke Donovan, Head of Threat Intelligence at Searchlight Cyber, emphasized the value of the leaked user data, primarily usernames and passwords tied to LockBit affiliates or administrators. Searchlight identified 76 user records, with 22 containing TOX messaging IDs—a communication platform popular among cybercriminals.
“These TOX IDs allowed us to link three users to aliases on known hacking forums,” Donovan said. “By analyzing their activity on these forums, we can better understand their methods, including what types of access they typically purchase to infiltrate organizations.”
The archive includes 208 conversations between LockBit affiliates and their victims, from December 2024 to April 2025. Donovan noted that these discussions could illuminate the group’s negotiation tactics. According to Beek, the chats show that LockBit affiliates often pressured victims aggressively, demanding ransoms ranging from a few thousand dollars to over $100,000.
Speculation has arisen about who was behind the breach. Donovan noted the Prague-themed defacement message mirrors one that appeared last month on a website belonging to another ransomware group, Everest, suggesting a possible link or infighting within the cybercriminal ecosystem.
On May 8, LockBit acknowledged the compromise via a post on its leak site, confirming that an admin panel was breached. However, the group attempted to downplay the severity, claiming no decryptors or sensitive victim data were exposed.
The group’s leader, known by the alias LockBitSupp and identified by authorities as Russian national Dmitry Yuryevich Khoroshev, has offered a reward for information about the hacker responsible for the breach.
Despite previous law enforcement crackdowns that severely disrupted LockBit’s infrastructure, the ransomware operation remains active and continues to pose a significant threat to organizations worldwide.
