Lockbit ransomware gait was hacked again

Victim negotiations and internal data were carried out in great violation

The notorious attraction ransomware gang has fallen victim to a serious data injury and revealed sensitive information from its operation and internal infrastructure.

The violation of the group's dark web -savvy panels contains the leak of a MySQL database dumps, which contains critical records in connection with the gang's activities.

The unknown administrators now show a mocking message: “Criminal crime is not a bad crime is bad Xoxo from Prague”, accompanied by a link to download an archive entitled “Paneldb_dump.zip”.

The violation was first identified by the threat actor known as Rey, who discovered the link and the archive, which contains an SQL dump from the partner of attraction.

Analysis of the leaked MySQL database, which is carried out by BleedUnveiled the dump contains 20 tables, with several rare insights into the interior work of the attraction operation:

• 'Btc_addresses' Table: Contains 59.975 clear Bitcoin addresses that are probably used for ransom payments and laundry transactions.
• “Builds” table: lists individual ransomware builds created by partners. While public encryption keys are included, there are no private keys. Some lines call the targeted companies and add another exposure level.
• Table “Builds_Configurations”: outlined specific build settings, including instructions for skipping certain ESXI servers or encryption of certain files, which means that the tactics of the attackers provide information.
• “Chats” table: This table may be worst. This table contains 4,442 negotiation news between Lockbit operators and victims, which are extended from December 19, 2024 to April 29, 2025. These protocols offer a fermented look at how attracting bits have been blackmailed for months.
• 'User' table: contains login information for 75 administrators and affiliated companies, whereby all passwords are stored in Plaintext-A serious security.

The cybersecurity researcher Michael Gillespie emphasized some of the leaked passwords, including “Weekendlover69”, “Movingbricks69420” and “Lockbitproud231”.

In a tox chat with Rey, Lockbits public representative Lockbitsupp, the authenticity of the violation confirmed, but claimed that no private keys were leaked and no operating data had been lost permanently.

The commitment report used in the LockBit Breach reflects you recently in an attack on the dark website of Everest Ransomware used website pages of Everest Ransomware, which indicates a potential connection or a common perpetrator behind the two incidents.

While no group recognized the attack, the tone of the message implies vigilance or a competing player who is aimed at criminal operations.

Christiaan Beek, Senior Director of Threat Analytics at the security provider Rapid7, said: “Rapid7 reports that the systems of the Lockbit Ransomware Group may have been hacked. While we are still waiting for official confirmation, the infiltrated information looks real and were also shared in the telegram.”

“In our analysis we found that the infiltrated data encompasses:

• Private messages between Lockbit and his victims
• Bitcoin Wallet addresses (which could help the law enforcement authorities)
• Detailed information on victims such as company websites, estimated income and custom versions of the ransomware

“In view of the leaked chats, we can see how aggressive attraction was during the ransom negotiations. In some cases, the victims were only forced a few thousand dollars. In other cases, the group demanded a lot more: $ 50,000, $ 60,000 or even $ 100,000.”

This violation combines the setbacks with which attracting bit has been faced in recent years. In 2024, Operation Cronos, a multinational law enforcement effort, broke a large part of the infrastructure of attract bites.

The authorities confiscated 34 servers, cryptocurrency letters, 1,000 decryption keys and the group's partner.

Since then, it had managed to partially regain and resume activities, but this latest violation gives its credibility and security another critical blow.

Cybersecurity experts say that the violation of the ransomware ecosystem can afford. Last Leck's internal data have led to groups such as Conti, Black Basta and Everest.