{
	"id": "5e1f4018-be7f-48e4-a786-0c153bf0bb7b",
	"created_at": "2026-04-06T00:09:50.102151Z",
	"updated_at": "2026-04-10T03:20:03.386309Z",
	"deleted_at": null,
	"sha1_hash": "2b79fe59b2515791f89765d6e8f4132d7b8eb3fe",
	"title": "LockBit ransomware gang hacked, victim negotiations exposed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1640987,
	"plain_text": "LockBit ransomware gang hacked, victim negotiations exposed\r\nBy Lawrence Abrams\r\nPublished: 2025-05-08 · Archived: 2026-04-05 15:02:49 UTC\r\nThe LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a\r\nmessage linking to a MySQL database dump.\r\nAll of the ransomware gang's admin panels now state. \"Don't do crime CRIME IS BAD xoxo from Prague,\" with a link to\r\ndownload a \"paneldb_dump.zip.\"\r\nLockBit dark web site defaced with link to database\r\nAs first spotted by the threat actor, Rey, this archive contains a SQL file dumped from the site affiliate panel's MySQL\r\ndatabase.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nFrom analysis by BleepingComputer, this database contains twenty tables, with some more interesting than others,\r\nincluding:\r\nA 'btc_addresses' table that contains 59,975 unique bitcoin addresses.\r\nA 'builds' table contains the individual builds created by affiliates for attacks. Table rows contain the public keys, but\r\nno private keys, unfortunately. The targeted companies' names are also listed for some of the builds.\r\nA 'builds_configurations' table contains the different configurations used for each build, such as which ESXi servers\r\nto skip or files to encrypt.\r\nA 'chats' table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and\r\nvictims from December 19th to April 29th.\r\nAffiliate panel 'chats' table\r\nA 'users' table lists 75 admins and affiliates who had access to the affiliate panel, with Michael Gillespie spotting that\r\npasswords were stored in plaintext. Examples of some of the plaintext passwords are 'Weekendlover69,\r\n'MovingBricks69420', and 'Lockbitproud231'.\r\nIn a Tox conversation with Rey, the LockBit operator known as 'LockBitSupp' confirmed the breach, stating that no private\r\nkeys were leaked or data lost.\r\nBased on the MySQL dump generation time and the last date record in the negotiation chats table , the database appears to\r\nhave been dumped at some point on April 29th, 2025.\r\nIt's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent\r\nbreach of Everest ransomware's dark web site, suggesting a possible link.\r\nIn 2024, a law enforcement operation called Operation Cronos took down LockBit's infrastructure, including 34 servers\r\nhosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, 1,000 decryption keys,\r\nand the affiliate panel.\r\nAlthough LockBit managed to rebuild and resume operations after the takedown, this latest breach strikes a further blow to\r\nits already damaged reputation.\r\nIt's too early to tell if this additional reputation hit will be the final nail in the coffin for the ransomware gang.\r\nOther ransomware groups who have experienced similar leaks include Conti, Black Basta, and Everest.\r\nUpdate 5/8/25: Updated article to remove potential PHP CVE the server was vulnerable to as that CVE only impacted\r\nWindows. Thanks Christopher.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/"
	],
	"report_names": [
		"lockbit-ransomware-gang-hacked-victim-negotiations-exposed"
	],
	"threat_actors": [],
	"ts_created_at": 1775434190,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b79fe59b2515791f89765d6e8f4132d7b8eb3fe.pdf",
		"text": "https://archive.orkl.eu/2b79fe59b2515791f89765d6e8f4132d7b8eb3fe.txt",
		"img": "https://archive.orkl.eu/2b79fe59b2515791f89765d6e8f4132d7b8eb3fe.jpg"
	}
}