LockBit Ransomware Gang Hacked: Database Leak Exposes Inner Workings and Affiliates

A Critical Blow to the Notorious Cybercrime

In a stunning development that sent shockwaves through the cybercrime world, the LockBit ransomware gang has suffered a serious data breach. Their notorious dark web affiliate panels were hijacked and replaced with an unexpected—and mocking—message: “Don’t do crime. CRIME IS BAD xoxo from Prague.” But this wasn’t just digital graffiti. The attackers went further by linking a full SQL database dump of LockBit’s operational backend, revealing thousands of confidential entries, build configurations, internal communications, and even admin passwords.

This incident follows a string of recent cyber disruptions targeting major ransomware groups, and it echoes previous breaches that exposed other gangs like Conti, Everest, and Black Basta. While LockBit had managed to bounce back after a 2024 takedown by law enforcement (Operation Cronos), this new leak threatens to unravel its operations once again—possibly for good.

Key Takeaways from the LockBit Panel Hack

Dark Web Defaced: LockBit’s affiliate panels were defaced with a message condemning cybercrime and included a link to a MySQL database dump.

Database Breakdown:

btc_addresses: 59,975 unique Bitcoin wallet addresses used for transactions.
builds: Contains ransomware payloads built by affiliates, including targeted company names.

builds_configurations: Details encryption settings and attack preferences.

chats: 4,442 negotiation messages with victims between December 19 and April 29.
users: 75 admins and affiliates, with many passwords stored in plaintext.
Plaintext Passwords Revealed: Notable passwords included phrases like ‘Weekendlover69’ and ‘Lockbitproud231’.
Confirmed Breach: LockBit operator ‘LockBitSupp’ confirmed the hack but claimed no private keys or critical data were lost.
Database Timeframe: The SQL dump appears to have been generated on April 29, 2025.
Exploitation Vector: The server was running PHP 8.1.2, known for vulnerabilities (notably CVE-2024-4577) that allow remote code execution.
Suspected Culprits: The defacement style resembles that used in the Everest ransomware breach, hinting at a possible connection.
LockBit’s Troubled Year: After the major 2024 takedown, this incident further weakens the gang’s credibility and security posture.
Law Enforcement Success: Operation Cronos had previously seized 34 servers, 1,000 decryption keys, and stolen data, severely hitting LockBit’s infrastructure.
Ripple Effect: Other ransomware groups have faced similar leaks, suggesting a broader vulnerability or coordinated action against cybercrime syndicates.

What Undercode Say:

The breach of LockBit’s affiliate panel is more than just a symbolic takedown—it represents a critical breach in operational security that may have long-lasting implications for the ransomware industry as a whole. For years, LockBit has operated with a chilling efficiency, relying on a streamlined affiliate model that allowed global cybercriminals to deploy custom ransomware builds while maintaining centralized control. Now, that central control has been exposed.

The leaked database isn’t just a trophy for cybersecurity researchers—it’s a treasure trove of actionable intelligence. Each table paints a detailed picture of how LockBit operated behind the scenes. The build logs indicate targets, the configurations show tactical decisions (like skipping ESXi servers), and the negotiation chat logs provide insight into the emotional and strategic tone used in extortion attempts.

Perhaps most damaging is the exposure of the affiliate identities and plaintext passwords. Not only does this enable tracking by law enforcement, but it also erodes trust within the LockBit affiliate network. Cybercriminals thrive on anonymity and operational security—this leak shatters both.

Interestingly, the possible exploitation of CVE-2024-4577 highlights yet again the importance of timely software patching, even in criminal infrastructure. Running outdated PHP exposed LockBit to a now-public vulnerability, which could’ve easily been avoided. The use of phpMyAdmin for backend access also signals a surprising lack of caution in security setup.

Another key angle to consider is the messaging. The defacement mirrored that seen in a breach against Everest ransomware, suggesting that this may not be the work of law enforcement but possibly a rival group or vigilante hackers targeting ransomware gangs. The “xoxo from Prague” message hints at either playful mockery or geopolitical signaling—both of which have precedent in the cybercrime underworld.

Moreover, we’re witnessing a potential shift in the ransomware economy. This breach could destabilize affiliate recruitment for LockBit, create internal paranoia, and ultimately push lower-tier affiliates to seek more stable or secure platforms—or to exit the scene entirely. Similar collapses occurred with Conti after their internal chats and codebase were leaked.

For defenders and cybersecurity professionals, this breach is an opportunity. Studying the MySQL dump can offer deeper insights into ransomware deployment patterns, extortion strategies, and the general anatomy of a criminal operation. This can fuel new detection methods, strengthen threat intelligence platforms, and help organizations proactively defend against future ransomware attacks.

Finally, LockBit’s public admission of the breach (via LockBitSupp) without acknowledging major data loss may be an effort to control the narrative and calm affiliates. But in the cybercrime world, reputation is currency—and LockBit’s just got devalued.

Fact Checker Results:

Confirmed Breach: Verified by

Database Content: Analyzed and reported by BleepingComputer with detailed table descriptions.
Exploit Vector: CVE-2024-4577 is a known and documented vulnerability in PHP 8.1.2, matching the version on the breached server.