LockBit itself has become the victim of a data breach

What comes around, goes around. Ransomware operation LockBit has been hacked by an unknown threat actor, exposing sensitive information.

The attacker was able to deface LockBit’s website and replace all content with the message “Don’t do crime CRIME IS BAD xoxo from Prague” and a URL linking to a MySQL database dump file.

The database contains twenty tables with interesting information, including 59,975 unique bitcoin addresses used for ransom payments, public keys, and 4,442 negotiation messages between LockBit and its victims from December 19, 2024, to April 29, 2025.

In addition, the database dump includes a table of plaintext passwords of 75 administrators and partners.

Alon Gal, co-founder and Chief Technology Officer (CTO) at cybersecurity firm Hudson Rock, has called the breach “a goldmine for law enforcement” that could help immensely in tracing cryptocurrency payments and attributing attacks to specific threat actors.

LockBit operator ‘LockBitSupp’ has confirmed that the data breach is real. In a Tox conversation with threat actor Rey, he acknowledges that bitcoin addresses and conversations have been stolen, but no decryptors or the source code.

As of this moment, it remains unclear who’s responsible for the data breach.

For a long time, LockBit was considered the most active and destructive ransomware operation in the world. According to cybersecurity experts, the group is responsible for over 2,500 victims in 120 countries, including high-profile targets like Bank of America, Boeing, and UK Royal Mail.

In February 2024, law enforcement agencies from Australia, Canada, France, Germany, Japan, the Netherlands, Spain, Sweden, Switzerland, Romania, the United Kingdom and the United States took down the infrastructure of LockBit by confiscating 34 servers. That was during operation Cronos, a task force led by the UK’s National Crime Agency (NCA).

It didn’t take long for LockBit to recover. Within a week, the ransomware operation was back online and threatened to attack more businesses and government entities in an attempt to challenge law enforcement authorities.