LockBit Hacked: What Does the Leaked Data Show?
The dark web affiliate panel of the notorious LockBit Ransomware-as-a-Service (RaaS) group has been hacked and defaced, exposing a link to a MySQL database dump that supposedly contains leaked data related to the group's operations. The breach was confirmed by LockBitSupp, the creator, developer, and administrator of the LockBit ransomware group, who downplayed the attack by stating that decryptors, stolen company data, and the ransomware source code have not been compromised.
The dump of the backend MySQL database was apparently generated on April 29, 2025, and contains a treasure trove of information about the group's operations. According to cybersecurity experts, the leaked data will be invaluable for investigators seeking to understand the inner workings of the LockBit RaaS group.
A Glimpse into the Group's Operations
Early analysis of the data has revealed that it contains 'user data' for the LockBit site, which is likely related to affiliates or administrators of the group. Luke Donovan, Head of Threat Intelligence at Searchlight Cyber, stated that 76 users have been identified in the data, whose usernames and passwords are contained in the leak.
"This user data will prove to be valuable for cybersecurity researchers, as it allows us to learn more about the affiliates of LockBit and how they operate," Donovan noted. "For example, within those 76 users, 22 users have TOX IDs associated with them, which is a messaging service popular in the hacking community." These TOX IDs have allowed investigators to associate three of the leaked users with aliases on hacking forums, who use the same TOX IDs.
Insights into Ransom Negotiations
Christiaan Beek, Senior Director of Threat Analytics at Rapid7, noted that the negotiation messages show how aggressive LockBit is during ransom negotiations. It's unknown how many of those ransoms have been paid out, but the messages offer a peek into how LockBit's affiliates negotiate with victims and reveal that LockBit affiliates attack organizations big and small.
"In some cases, victims were pressured to pay just a few thousand dollars," Beek pointed out. "In others, the group demanded much more: $50,000, $60,000, or even $100,000." These revelations provide valuable insights into the tactics employed by LockBit's affiliates during ransom negotiations.
A Look Back at the Group's Past Challenges
The LockBit operation has faced significant challenges in recent times. In 2024, an international law enforcement operation ("Operation Cronos") took over its dark web leak site and additional infrastructure, leading to the arrest and/or indictment of several LockBit affiliates in Poland, Ukraine, and Russia, as well as the freezing of over 200 cryptocurrency accounts linked to the group.
A few months later, the alleged identity of LockBitSupp was revealed, and a few months after that, an individual was indicted for allegedly developing software for the ransomware group. Despite these setbacks, the LockBit outfit has managed to continue operations and recruit new affiliates.
What's Next for the LockBit Group?
Time will tell whether this latest blow will result in the threat actors ditching the LockBit brand and setting up a new criminal outfit. The leaked data from the hacked affiliate panel may provide the necessary momentum for law enforcement agencies to finally bring the group to its knees.
In the meantime, cybersecurity experts are already analyzing the leaked data, using it to gain valuable insights into the inner workings of the LockBit RaaS group. As the investigation continues, one thing is clear: the LockBit group's operations will be subject to intense scrutiny in the coming days and weeks.