Once feared across industries for its high-profile ransomware attacks, the LockBit gang now finds itself on the defensive. In an ironic twist, the cybercriminal group’s own infrastructure was infiltrated and publicly defaced, exposing sensitive data and shaking confidence in its operations. What follows is a rare glimpse into the vulnerabilities of those who once thrived on exploiting others.
A Message from Prague: LockBit’s Dark Web Panels Defaced
In a dramatic twist, the notorious LockBit ransomware group—once dubbed the “Walmart of ransomware” for its prolific cyber extortion operations—has fallen victim to a cyberattack.
On May 7, 2025, LockBit’s dark web affiliate panels were defaced with a bold message:
“Don’t do crime. CRIME IS BAD xoxo from Prague”
The defacement included a link to a leaked MySQL database dump, revealing the inner workings of the group’s infrastructure. The breach, first noticed by threat actor and researcher Rey, has sent shockwaves through the cybersecurity world.
The leaked SQL database, named paneldb_dump.zip, contains 20 tables exposing key information such as:
- 59,975 unique Bitcoin addresses used for ransom transactions
- 4,442 negotiation messages between LockBit and victims (Dec 2024 – Apr 2025)
- Custom ransomware builds and configurations
- List of 75 admins and affiliates, some with passwords stored in plaintext
This incident mirrors a previous attack on the Everest ransomware group in April 2025, which also featured the same Prague-signed message, suggesting a coordinated effort.
Inside the Leak: Unprecedented Insight into LockBit’s Operations
The leaked data offers an extraordinary window into LockBit’s secretive world. The negotiation messages, for example, detail conversations where LockBit demanded ransoms ranging from a few thousand dollars to over $100,000, often adjusting terms based on a victim’s financial capacity.
Key insights from the database include:
| Data Type | Highlights |
|---|---|
| Negotiation logs | 4,442 conversations with victims |
| Ransomware builds | Custom settings, encryption targets, OS exclusions |
| Admin/Affiliate info | 75 user records, many with weak or plaintext passwords |
| Cryptocurrency records | Nearly 60,000 unique Bitcoin addresses tracked |
Passwords in the affiliate list include comical or revealing entries like Weekendlover69 and MovingBricks69420, exposing a lack of operational discipline among LockBit’s inner circle.
Security analysts suggest that this treasure trove could provide leads for tracking payments, identifying affiliates, and ultimately dismantling parts of the ransomware infrastructure.
LockBit’s Response: Damage Control Amidst Embarrassment
In response to the breach, LockBit’s public face, “LockBitSupp,” acknowledged the hack in a private Tox chat but attempted to minimize its significance. According to them, no private keys or stolen victim files were exposed, only panel logs and affiliate data.
Nonetheless, the implications are damaging. The group, which had managed to regroup after a 2024 law enforcement takedown, is now facing another serious credibility challenge.
Key points from LockBit’s damage control efforts:
- Denied exposure of sensitive ransom decryption keys
- Admitted defacement and database leak
- Attempted to reassure affiliates that operations remain intact
The fact that some passwords were stored in plaintext and that their own servers were so easily compromised undermines the technical image LockBit has tried to project.
Implications: A Turning Point in the Fight Against Ransomware?
The public takedown of LockBit’s infrastructure could mark a significant shift in the cybercrime landscape. The exposure of internal workings—affiliates, negotiations, wallets—creates unprecedented opportunities for:
- Law enforcement investigations
- Cybersecurity research and blacklisting efforts
- Financial tracking of ransomware payments
- Psychological disruption among cybercriminals
The attackers’ sardonic message, “CRIME IS BAD,” may be simple—but its impact is profound. It signals not only a technical win but also a psychological operation meant to deter recruitment and shake confidence in criminal alliances.
As more details from the leak are analyzed, cybersecurity experts believe we may be entering a new phase in the war against ransomware—one where hackers begin to hunt other hackers and expose their darkest secrets.