Intruders infiltrated the infrastructure of the LockBit ransomware group, unveiling a database containing 59,975 Bitcoin addresses, 4,442 negotiation sessions with victims, and attack configurations, according to Bleeping Computer.
A message appeared on the group’s shadowy forums:
“Do not commit crimes. CRIME IS BAD xoxo from Prague.”
According to a researcher known as Rey, the leak includes:
- tables with Bitcoin wallets (likely of affiliates and infrastructure);
- attack configurations, including lists of servers and files for encryption;
- logs of ransom demand chats;
- data of 75 administrators and partners with passwords stored in plain text.
Response From LockBitSupp (This is a translated image): pic.twitter.com/l54g1A5hXz
— Rey (@ReyXBF) May 7, 2025
LockBit administrator and developer Dmitry Khoroshev, known as LockBitSupp, confirmed the breach to Rey but stated that the wallets’ private keys were not compromised.
Bleeping Computer’s analysis indicated that the leak occurred on April 29. The group’s servers were running a vulnerable version of PHP 8.1.2, which likely facilitated the successful attack. The signature of the intruders matches that of the April hack of the darknet site Everest, suggesting a possible connection between the incidents, the publication noted.
Back in February 2024, the NCA partially seized the infrastructure of the LockBit ransomware and arrested 200 cryptocurrency wallets linked to the group.