LockBit Ransomware Breach Uncovered: Insider Insights Revealed – Infosecurity Magazine

LockBit, one of the most notorious and prolific cybercrime groups, has recently been compromised, resulting in a significant breach of insider information that has been acquired by law enforcement and cybersecurity experts.

On May 7, a cyber threat actor identified as “Rey” discovered a defacement of LockBit’s dark web affiliate panels, which included a message along with a link to a leaked SQL database. The message ominously stated, “Don’t do crime. CRIME IS BAD xoxo from Prague.”

This link directed users to an SQL file that provided insights into LockBit’s ransomware operations, revealing critical information such as:

– Internal communications between LockBit and its victims.
– Detailed victim profiles, including domains and estimated revenue.
– Custom ransomware builds.
– Bitcoin addresses associated with LockBit’s operations.
– References to encryption configurations and potential decryption keys.
– A list of 75 individuals who had administrative access to the affiliate panel.

Sources indicate that this data encompasses the group’s activities from December 2024 to the end of April 2025.

In a conversation supposedly via Tox, LockBitSupp, the main administrator of LockBit, whose identity is believed to be Dmitry Yuryevich Khoroshev, confirmed the hack. However, he asserted that neither the source code of LockBit nor any decryption tools were compromised during the breach and that no stolen company data was damaged.

LockBit Leak: A Valuable Asset for Cyber Defenders

The cyber threat intelligence community has swiftly responded to the breach, with security research collective Vx-underground confirming the validity of the data dump. Alon Gal, CTO of Hudson Rock, corroborated the authenticity of the exposed data, which has since led to the development of LockbitGPT—a ChatGPT-based assistant designed to assist researchers in navigating through the extensive data.

Valery Riess-Marchive, a French cybersecurity journalist and the maintainer of Ransomch.at—a repository focusing on ransomware negotiation chats—has begun the process of anonymizing victim data from the LockBit chat dump to incorporate it into his resource. He remarked that the clustering of this information would prove beneficial for analyzing negotiation patterns.

The data leak from LockBit could be transformative for cybersecurity defense strategies. The insights gained from this breach are expected to:

– Illuminate LockBit’s current operational activity.
– Enable security researchers to trace the campaigns of LockBit and its affiliates.
– Assist researchers in refining previous assessments of attack timelines using the data build dates.
– Facilitate law enforcement agencies in tracing Bitcoin wallets and establishing attribution.
– Provide victims with increased visibility regarding their breach or potential future incidents.

This significant data leak follows a historic crackdown on LockBit, which was targeted by a global law enforcement operation in 2024—a move that greatly hampered the group’s operational capabilities.