'Don't do crime, crime is bad' — Hack on ransomware gang LockBit exposes 59,975 Bitcoin addresses and thousands of victim negotiations: report

Ransomware gang LockBit has been on the receiving end of a data leak of its own, exposing 59,975 Bitcoin addresses, public keys, and 4,442 negotiation messages with victims following a recent hack.

LockBit is a notorious cybercriminal group that runs a Ransomware-as-a-Service operation, developing tools and infrastructure for affiliates who carry out attacks. Like most ransomware groups, it demands payment in cryptocurrencies — typically Bitcoin (BTC) or Monero (XMR) — with victims instructed to send funds to designated wallet addresses to receive decryption keys or avoid data leaks. Affiliates often launder the proceeds using mixers, cross-chain swaps, or privacy coins, attempting to evade detection.

LockBit's dark web affiliate panels were defaced and replaced with a message linking to a database dump, which stated, "Don't do crime CRIME IS BAD xoxo from Prague," cybersecurity publication Bleeping Computer reported .

First noted by the threat actor, Rey, BleepingComputer's analysis of the leaked LockBit database found 20 tables, with some revealing details. One table lists nearly 60,000 Bitcoin addresses, likely a mix of addresses used by the gang's affiliates and infrastructure, while another shows ransomware builds linked to specific targets. There are also configuration details for attacks, such as which servers to skip or files to encrypt. A chat log includes over 4,400 messages between the ransomware operation and victims, and a user table names 75 admins and affiliates — with passwords stored in plain text, including examples like "Weekendlover69" and "Lockbitproud231."

No private keys were leaked

A LockBit operator known as "LockBitSupp" confirmed the breach to Rey, stating that no private keys were leaked.

According to Bleeping Computer, the database appears to have been dumped around April 29, based on the MySQL timestamp and the latest chat record. While it's unclear who carried out the breach or how, the defacement message matches one used in a recent attack on Everest ransomware's dark web site, suggesting a possible link. The server was also running PHP 8.1.2, which is vulnerable to CVE-2024-4577 — a critical flaw that can allow remote code execution, the outlet said.

In February 2024, Operation Cronos — an international law enforcement effort — dismantled LockBit's infrastructure, seizing 34 servers, stolen data, cryptocurrency addresses, 1,000 decryption keys, and its affiliate panel. Although LockBit later rebuilt and resumed operations, the group suffered another major setback in May last year, when U.S. authorities unmasked and indicted its ringleader, Dmitry Khoroshev, on 26 criminal counts. Alleged to have earned $100 million from ransom payments, Khoroshev faces sanctions, asset freezes, and a $10 million U.S. bounty for his arrest.