LockBit, a ransomware group known for numerous cyberattacks, has encountered a data breach following the defacement of its dark web affiliate panels. These panels now display a message stating, “Don’t do crime CRIME IS BAD xoxo from Prague,” along with a link to download a file named “paneldb_dump.zip.” This incident was initially detected by the threat actor Rey, reported BleepingComputer.
The archive contains a SQL file extracted from the affiliate panel’s MySQL database, according to the BleepingComputer report. The database includes 20 tables, among which some are particularly noteworthy. The ‘btcaddresses’ table lists 59,975 distinct bitcoin addresses. The ‘builds’ table records individual builds crafted by affiliates for attacks, detailing public keys and, in some instances, the names of targeted companies.
The ‘buildsconfigurations’ table provides the configurations used for each build, indicating which ESXi servers to avoid or files to encrypt. The ‘chats’ table holds 4,442 messages exchanged between the ransomware group and its victims from 19 December to 29 April. The ‘users’ table identifies 75 admins and affiliates with access to the panel, with plaintext passwords like ‘Weekendlover69,’ ‘MovingBricks69420,’ and ‘Lockbitproud231’ discovered by Michael Gillespie.
Defacement message suggests possible link to recent Everest ransomware breach
In a Tox chat with Rey, the LockBit operator ‘LockBitSupp’ confirmed the breach but assured that no private keys were leaked or data lost. The MySQL dump appears to have been created on 29 April 2025, based on the timestamp and the last entry in the negotiation chats table. The individual or group responsible for the breach and their methods remain unknown, though the defacement message is similar to one used in a recent attack on Everest ransomware’s site, hinting at a possible link.
In 2024, law enforcement’s Operation Cronos dismantled LockBit’s infrastructure, seizing 34 servers that hosted data leak websites, stolen data, cryptocurrency addresses, 1,000 decryption keys, and the affiliate panel. LockBit, however, managed to restore and continue its operations, although this breach further impacts its standing.
Earlier this year, the UK, the UK, and Australia imposed sanctions on Zservers, a Russian hosting provider, for allegedly supporting ransomware operations. The US Treasury Department announced the action against the company, two administrators, and a UK-based front company. Authorities assert that Zservers provided infrastructure for LockBit and other ransomware operators, including those using Dharma, Hive, VoidCrypt, and Venus ransomware.
In 2024, LockBit’s website was taken over, and its ransomware operations were disrupted by international law enforcement agencies. As part of “Operation Cronos,” a collaborative investigation involving 11 different law enforcement bodies, the site now seems to be controlled by the UK’s National Crime Agency (NCA) and the US Federal Bureau of Investigation.
Read more: LockBit website seized and operations disrupted by the FBI and NCA
