LockBit Security Incident

Fraud Management & Cybercrime , Ransomware Hacker Leaks Stolen LockBit Ransomware Operation Database Exposes Details of Victims, 'Aggressive' Negotiations, Cryptocurrency Addresses Mathew J. Schwartz ( euroinfosec ) May 8, 2025 Credit Eligible Get Permission LockBit data leak sites displayed this message on May 8, 2025. One year to the day after an international law enforcement operation unmasked and indicted the leader of the notorious LockBit ransomware group, a hacker has sent the group another love letter. See Also: On Demand | Ransomware in 2025: Evolving Threats, Exploited Vulnerabilities, and a Unified Defense Strategy On Wednesday, an unknown hacker defaced LockBit's data leak sites, redirecting them to a page with the following message: "Don't do crime CRIME IS BAD xoxo from Prague." That message is the same as the one used to deface the long-running Everest ransomware group's data leak site at the beginning of April, leading to that long-running group taking the site offline. In this case, the message is followed by a download link for a 7.5 megabyte compressed paneldb_dump.zip file comprising a SQL database stolen from LockBit that contains data timestamped from December 2024 through April 29. "While official confirmation is still pending, the data appears legitimate and highly revealing," Alon Gal said, co-founder and CTO at Hudson Rock. Cybersecurity researcher Milivoj Raji, head of threat intelligence at DynaRisk, told Information Security Media Group that he's in the time-consuming process of scanning the 59,975 Bitcoin wallet addresses included in the dump. "We clearly see that there is money in some addresses," he said, finding $100,000 in Bitcoin, after so far scanning only a fraction of those addresses. Gal said those cryptocurrency wallet addresses could be a "goldmine for law enforcement to trace payments" and by following the money, to unmask affiliates. The dump also includes "detailed...

... (truncated for display)