Hack Exposes Nearly 60,000 Bitcoin Addresses Linked to LockBit Ransomware Group

A major breach has rocked the infamous LockBit ransomware gang, exposing nearly 60,000 Bitcoin addresses after hackers defaced its dark web affiliate panels and leaked a trove of internal data online.

The cyberattack, discovered on May 7, 2025, targeted LockBit’s dark web infrastructure, defacing affiliate admin panels and leaking a large internal records database.

So LockBit just got pwned … xD pic.twitter.com/Jr94BVJ2DM

The attackers left behind a message—“Don’t do crime CRIME IS BAD xoxo from Prague”—along with a downloadable MySQL database dump titled paneldb_dump.zip.

Initially flagged by threat actor Rey, the breach was swiftly analysed by cybersecurity experts, who uncovered a wealth of information about LockBit’s operations.

According to Bleeping Computer report, the leaked data includes a massive collection of ransomware infrastructure details. Most notably, it exposes 59,975 unique Bitcoin addresses linked to LockBit.

These addresses are believed to be associated with ransom payments, each typically assigned to individual victims as part of LockBit’s efforts to compartmentalise and obscure the flow of illicit funds.

However, LockBit’s operator, “LockBitSupp” confirmed the breach but insisted that no private keys or additional sensitive data were lost.

Additional data reveals records of detailed logs of ransomware builds created by LockBit affiliates. These records not only document the technical configurations used in various attacks but also include extensive chat logs, over 4,400 negotiation messages between LockBit operators and their victims.

Also among the compromised data were user credentials, including 75 admins and affiliates with access to the affiliate panel, with passwords stored in plaintext.

The exact method used to breach LockBit’s infrastructure remains uncertain. However, Bleeping Computer suggests similarities to a recent hack of the Everest ransomware group, raising suspicions of a common attacker or tactic.

The report noted that the server was running PHP 8.1.2, which is known to be vulnerable to CVE-2024-4577, a critical exploit that could have enabled remote code execution.

The fallout from the breach is likely to be far-reaching. For law enforcement agencies and blockchain forensic teams, the leaked Bitcoin addresses and data offer a new opportunity to trace ransomware payments and potentially identify individuals connected to LockBit.

The breach also delivers a severe reputational blow to LockBit, which has already been weakened by Operation Cronos. The coordinated crackdown led by the U.S. Department of Justice, Europol, and law enforcement agencies worldwide in early 2024 temporarily dismantled its infrastructure.

The operation has already resulted in the freezing of over 200 cryptocurrency accounts linked to LockBit’s ransomware activities.

Authorities have arrested two LockBit actors in Poland and Ukraine, while two affiliates were apprehended and charged in the U.S. The U.S. Treasury’s OFAC also blacklisted ten Bitcoin and Ether addresses tied to the group, with some linked to deposits on exchanges like KuCoin, Binance, and Coinspaid. These sanctions now prohibit U.S. entities from transacting with the individuals or wallets involved.

Key infrastructure used by LockBit, including its websites and ransom negotiation panels, was seized in early 2024. More than 1,000 decryption keys were recovered and are being distributed to victims to help them regain access to encrypted data without paying ransoms.

A major developer behind LockBit’s tools, Rostislav Panev, was arrested in Israel and awaits extradition to the U.S. Panev allegedly built malware and other software for the group and received over $230,000 in crypto. His defence claims he was unaware of how the tools were used, but authorities say he played a central role in enabling the group’s operations.

LockBit, active since 2019, has attacked more than 2,500 victims in 120 countries and reportedly extorted over $120 million globally.

The post Hack Exposes Nearly 60,000 Bitcoin Addresses Linked to LockBit Ransomware Group appeared first on Cryptonews.