Data that may be extremely precious to regulation enforcement and the cybersecurity neighborhood was leaked after somebody hacked into an administration panel utilized by the LockBit ransomware operation.
The hack got here to mild on Could 7, when a website related to a LockBit administration panel was defaced to show a message that learn “Don’t do crime, crime is dangerous xoxo from Prague”. The defaced web page additionally included a hyperlink to an archive file containing info taken from the compromised server.
The leaked information consists of personal messages between LockBit associates and victims, Bitcoin pockets addresses, affiliate accounts, particulars about assaults, and data on malware and infrastructure.
A number of cybersecurity specialists have analyzed the leaked information. Christiaan Beek, senior director of menace analytics at Rapid7, famous that the Bitcoin addresses could possibly be helpful to regulation enforcement.
As well as, Luke Donovan, head of menace intelligence at Searchlight Cyber, defined how the leaked information could possibly be precious for the cybersecurity neighborhood.
The knowledgeable stated the person information included within the leak possible pertains to associates or directors of the ransomware operation. Searchlight Cyber has recognized 76 data, together with usernames and passwords, within the printed information.
“This person information will show to be precious for cybersecurity researchers, because it permits us to be taught extra in regards to the associates of LockBit and the way they function. For instance, inside these 76 customers, 22 customers have TOX IDs related to them, which is a messaging service well-liked within the hacking neighborhood,” Donovan stated.
He added, “These TOX IDs have allowed us to affiliate three of the leaked customers with aliases on hacking boards, who use the identical TOX IDs. By analysing their conversations on hacking boards we’ll have the ability to be taught extra in regards to the group, for instance the sorts of entry they purchase to hack organizations.”Commercial. Scroll to proceed studying.
Searchlight Cyber has recognized 208 conversations between LockBit associates and victims. The messages, which vary between December 2024 and April 2025, could possibly be “precious for studying extra about how LockBit’s associates negotiate with their victims”.
Certainly, Rapid7’s Beek identified that the leaked chats present how aggressive LockBit associates had been throughout ransom negotiations.
“In some instances, victims had been pressured to pay only a few thousand {dollars}. In others, the group demanded far more: $50,000, $60,000, and even $100,000,” Beek stated.
As for who’s behind the LockBit hack, Searchlight Cyber’s Donovan identified that the defacement message is similar because the message displayed final month on the hacked web site of a unique ransomware group, Everest.
“Whereas we can’t be sure at this stage, this does recommend that the identical actor or group was behind the hack on each of the websites and implies that this information leak is the results of infighting among the many cybercriminal neighborhood,” the knowledgeable stated.
A press release posted on LockBit’s leak web site on Could 8 confirmed the compromise of an administration panel, however downplayed the affect, saying that decryptors or delicate information from victims weren’t impacted.
LockBitSupp, the mastermind behind the LockBit operation, who authorities say is Russian nationwide Dmitry Yuryevich Khoroshev, stated he’s prepared to pay for info on the identification of the person who carried out the assault.
Legislation enforcement companies worldwide have been taking motion to disrupt LockBit, however regardless of delivering a significant blow final yr, the cybercrime operation continues to be energetic and continues to pose a menace to organizations.
Associated: Black Basta Leak Gives Glimpse Into Group’s Internal Workings
Associated: LockBit Ransomware Developer Arrested in Israel at Request of US
