Highly valuable intelligence for law enforcement and cybersecurity professionals has surfaced after a hacker breached an administration panel linked to the LockBit ransomware group.
The breach became public on May 7, when a domain connected to the LockBit admin panel was defaced. The homepage displayed a message that read, “Don’t do crime, crime is bad xoxo from Prague,” along with a link to an archive containing data extracted from the compromised server.
The exposed data includes sensitive information such as private messages between LockBit affiliates and their victims, Bitcoin wallet addresses, affiliate account details, attack logs, and data on malware and infrastructure.
Cybersecurity experts have begun analyzing the leaked materials. Christiaan Beek, senior director of threat analytics at Rapid7, noted that the listed Bitcoin wallet addresses could assist law enforcement in tracking financial transactions tied to the group.
Luke Donovan, head of threat intelligence at Searchlight Cyber, highlighted the value of the leaked data for cybersecurity research. According to Donovan, much of the leaked user data appears to belong to affiliates or administrators of the LockBit operation. Searchlight Cyber identified 76 user records, including usernames and passwords.
“This user data will be crucial for researchers trying to better understand how LockBit operates. Among the 76 users, 22 are linked to TOX IDs, a secure messaging service favored in the hacking community,” Donovan explained.
He further noted that three of those TOX IDs matched aliases found on hacking forums. This connection allows analysts to study the forum conversations and gain insights into the affiliates' methods, including the types of access they purchase to infiltrate organizations.
The leak also contains 208 conversations between LockBit affiliates and their victims, dating from December 2024 to April 2025. These interactions reveal how negotiations unfolded and how affiliates applied pressure to extract ransom payments.
Beek from Rapid7 observed that the tone in many of the conversations was highly aggressive. Some victims were pushed to pay as little as a few thousand dollars, while others were asked for sums as high as $50,000 to $100,000.
Speculation about the identity of the attacker has emerged after experts noted that the defacement message used in the LockBit hack was identical to one left on the website of another ransomware group, Everest, just a month prior. Donovan suggested that the same individual or group might be behind both attacks, potentially pointing to internal conflict within the cybercriminal ecosystem.
LockBit acknowledged the breach on May 8 via its leak website. The statement confirmed that an admin panel had been compromised but claimed that no victim data or decryption tools were affected.
LockBitSupp, the figure behind LockBit and believed by authorities to be Russian national Dmitry Yuryevich Khoroshev, has offered a reward for information about the individual responsible for the intrusion.
Despite international law enforcement efforts that delivered a significant blow to LockBit last year, the group remains operational and continues to threaten organizations around the world.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
