{ "id": "bb743f7b-9441-4656-95ad-236376b88f4a", "created_at": "2026-04-06T00:12:07.212912Z", "updated_at": "2026-04-10T03:31:40.556994Z", "deleted_at": null, "sha1_hash": "32c5b5cf7e1bebd79f05a69fe817146a7544fa21", "title": "LockBit Got Hacked. Again: Uncovering Insights Into the Leaked Data | Analyst1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1104645, "plain_text": "LockBit Got Hacked. Again: Uncovering Insights Into the Leaked\r\nData | Analyst1\r\nBy Anastasia Sentsova\r\nPublished: 2025-05-15 · Archived: 2026-04-05 16:15:52 UTC\r\nLeaked, Exposed, and Angry: “I’ll Pay for Info on Who Did It”\r\nLockBit ransomware has been having a rough time over the past year. Following the heavy blow dealt by\r\nOperation Cronos, the group attempted a comeback, aiming to reclaim its previous status as one of the dominant\r\nplayers in the ransomware landscape. As LockBit was trying to recover, it hit another bump in the road. It didn’t\r\ntake long before yet another breach of its infrastructure occurred.\r\nOn May 7, 2025, an unknown individual leaked a MySQL database containing multiple tables related to the\r\ninformation from internal servers, exposing details of LockBit’s operations and the actors involved. Within the\r\nleak, it was identified: nearly 63,700 addresses (BTC and XMR); affiliates’ requests for or generation of\r\nransomware builds via the affiliate panel, negotiation chats with victims comprising nearly 4,400 messages; 75\r\nusernames; 21 TOX IDs, which might potentially serve a great deal for further research and identifying actors\r\nbehind LockBit personas and other information.\r\nLockBit’s attitude was to brush it off with a “haters gonna hate,” but we’d say this looks a lot like karma doing its\r\njob. As a response to the leak, LockBit posted a message on their data leak site and Telegram with the following:\r\n“On May 7, the light panel with auto-registration was breached. Not a single decryptor or any stolen company\r\ndata was affected. I’m figuring out how they got in and rebuilding it. The full panel and blog are up and\r\nrunning. The alleged hacker is someone named Hoho (xoxo) from Prague. I am willing to pay for any info\r\nabout him, but only if it’s legit.”\r\nhttps://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/\r\nPage 1 of 10\n\nFigure 1: LockBit posted messages on both its Data Leak Site and Telegram, explaining the\r\nsituation regarding the leak\r\nSource: Analyst1\r\nThis leak serves as yet another valuable source of intelligence for researchers and incident responders. In this\r\nreport, we uncover operational insights and provide detailed blockchain forensic analysis related to LockBit’s\r\nfinancial activity. Let’s take a closer look at the findings.\r\nActors’ Target Preferences \u0026 Other Operational Insights\r\nAs we examined the leak, one thing quickly became clear: the actors observed do not demonstrate a high level of\r\nexperience. Several indicators support this conclusion, most notably, the questionable conduct of affiliates during\r\nnegotiations, ransom demands appear significantly lower than those typically associated with historical LockBit\r\nattacks, and a consistent pattern of careless on-chain behavior.\r\nBased on LockBit’s statement and leaked information, the “Lite panel” is designed specifically for low-tier\r\naffiliates who can purchase access for a $777 USD fee. This lower-level access tier allows criminals to participate\r\nin ransomware operations with minimal entry barriers. The first mention of this panel appeared in an interview\r\nthat LockBit gave to DeepDarkCTI in December 2024. When discussing its current position in the ransomware\r\nmarket following Operation Cronos, LockBit stated: Now, anyone can access a Ransomware panel and start\r\nworking within five minutes after paying a symbolic fee of $777. Those who prove themselves as experienced\r\npentesters will gain access to a more advanced and functional Ransomware panel.\r\nWhile the existence of multiple panels cannot be confirmed at the moment, the Lite panel may represent a new\r\nmodel, suggesting that the rules have changed. Previously, affiliates were required to deposit 1 Bitcoin to a\r\nLockBit wallet as an upfront joining fee, which was later used as credit to cover the operator’s 20% share of\r\nransom payments. This approach served to establish trust between the affiliate and the operator while also raising\r\nthe barrier to entry, to deter potential law enforcement agents and researchers from infiltrating the program, as\r\nstated by LockBit under their affiliate rules.\r\nAmong the users registered on the panel, 75 usernames were identified. Two of them, admin and matrix777, are\r\nlikely associated with the LockBit operator. This conclusion is based on the presence of the same TOX ID\r\n(A1A6D2ECC8DB18DA0D5F04C5ED01A565B5A46E4012FAE627ACCB5D709BB89477D26BE7EF852C)\r\nlinked to both accounts. The remaining usernames are likely affiliates, including one notable actor operating under\r\nthe alias “Christopher.” After registering on the panel on December 20, 2024, Christopher quickly became one\r\nof the most active participants in LockBit’s affiliate program. The chart below illustrates the distribution of total\r\nmessages exchanged between victims and affiliates, with Christopher responsible for nearly 47% of all activity.\r\nhttps://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/\r\nPage 2 of 10\n\nFigure 2: Distribution of messages across usernames. The total count reflects both actor messages\r\nand victims’ replies\r\nSource: Analyst1\r\nAnother revelation comes from analyzing affiliate targeting preferences. Perhaps the most striking finding is the\r\nactive targeting of APAC countries by affiliates, something not commonly observed in previous LockBit\r\ncampaigns. China, in particular, stands out. Traditionally, it is avoided by most Russian ransomware groups and\r\nconsidered a “friendly” nation within that ecosystem. While China has occasionally appeared on LockBit’s data\r\nleak site, it has typically represented only a tiny fraction of total victims compared to other countries. During the\r\noperational span of LockBit 2.0 and its rebrand as LockBit 3.0, from July 18, 2021, to May 9, 2025, China was\r\nlisted 28 times out of a total of 2,879 public claims, accounting for approximately 1% of all entries on LockBit’s\r\nleak site. (data source: eCrime.ch)\r\nChristopher, the central figure in our investigation, also appears to have a clear preference for targeting Asia–\r\nPacific (APAC) countries. The graph below, along with the earlier published report by Valéry Rieß-Marchive, illustrates the regional distribution of targets identified in the leak. This data is sourced from the builds\r\ntable, which documents affiliate requests for the generation of ransomware builds through the affiliate panel.\r\nNotably, APAC countries appear in the targeting preferences of nearly every affiliate, highlighting a significant\r\nshift in operational focus that deviates from traditional LockBit practices, a trend that was not as apparent when\r\nanalyzing activity on their public data leak site.\r\nhttps://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/\r\nPage 3 of 10\n\nFigure 3: Distribution of targeted regions by usernames\r\nSource: Courtesy of Valéry Rieß-Marchive\r\nIn some cases, however, affiliates themselves appear confused about the countries they are targeting. In one such\r\ninstance, Christopher references a private cryptocurrency exchange in China, providing a link as part of the\r\nnegotiation. The victim responds: “Bro, we are in Taiwan, not China. We hate China.” The conversation takes an\r\nunexpected and somewhat humorous turn when the victim asks the affiliate to consider attacking a Chinese\r\ncompany, to which Christopher replies that “they will check it out.” The victim clearly exhibiting a sense of\r\nhumor and perhaps lacking negotiation experience continues: “We will pay, but you need to give me some time to\r\nconvince my boss. But you must say China is shit!!!!!!!”.\r\nIn yet another unexpected and revealing exchange, a victim appears to flirt with the idea of joining the\r\nransomware ecosystem:\r\nVictim: “Bro, I want to ask for your advice. If I want to make some extra money on the side but do it safely like\r\nyou guys, do you have any recommended directions?”\r\nChristopher: “We now have open registration in the LockBit panel, but it costs $777.”\r\nVictim: “After joining, what can I help with? I don’t have any particular skills. If possible, can I join?”\r\nChristopher: “You don’t need it.”\r\nWhile this exchange might seem humorous or perhaps someone trying to infiltrate the group, the key takeaway is\r\nclear: victims should seriously consider assigning or hiring a qualified professional to handle ransomware\r\nnegotiations. And no, your chats are not being deleted, even if the actor promises to do so. In fact, they can\r\nbecome very public, as seen in cases like this.\r\nAnd ladies and gentlemen, if you ever consider joining the dark side, don’t take advice from actors like\r\nChristopher. Their “you don’t need any skills” attitude perfectly reflects today’s reality, where ransomware has\r\nbecome a commodity, not an elite cyber weapon, and comes with a very low barrier to entry. The good news? That\r\nhttps://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/\r\nPage 4 of 10\n\nsame “no skills needed” mindset doesn’t serve them well. In fact, it’s exactly what leads affiliates like Christopher\r\nto eventually get caught, from their primitive technical abilities to their sloppy money laundering practices. And as\r\nfor Christopher’s on-chain behavior — how to put it? Well… it’s extremely careless. Let’s take a look at some of\r\nChristopher’s profits and laundering efforts, which, surprise… there are basically none.\r\nUncovering LockBit On-chain Behavior\r\nThis leak has provided an incredible volume of cryptocurrency addresses. Specifically, three tables within the leak\r\ncontain cryptocurrency addresses: btc_addresses, chats, and invites, with nearly 63,700 addresses in total. So,\r\nhow do we interpret them? Based on our analysis, all of these addresses can be attributed to LockBit as an entity.\r\nHowever, we went a step further and performed actor-level attribution for a portion of them.\r\nWhen it comes to the addresses from the chats table, attribution is relatively straightforward. By analyzing the\r\ncontext surrounding each address and the specified actor ID, we can map addresses to individual affiliates with a\r\nhigh level of confidence.\r\nMeanwhile, addresses in the btc_addresses table appear to be operator-controlled. This conclusion is based on a\r\nblockchain investigation, where we traced affiliate transactions and identified a consistent 80/20 profit-sharing\r\npattern, known to be LockBit’s revenue model. In multiple cases, 20% of the ransom proceeds were sent to\r\naddresses listed in the btc_addresses table. Based on this consistent pattern, we conclude that all addresses in the\r\nbtc_addresses table are likely under operator ownership.\r\nIn addition, the invites table likely contains addresses provided to actors who are just joining the LockBit affiliate\r\nprogram. As mentioned earlier, LockBit sometimes requires an entry fee to participate, and these addresses may\r\nhave been used to collect those initial payments.\r\nOverall, distinguishing between operator- and affiliate-controlled addresses is essential for accurate blockchain\r\ntracing. From a research perspective, this distinction, when combined with a broader dataset of cryptocurrency\r\naddresses, provides valuable insights into potential cross-group collaboration, especially among affiliates who\r\nmay be working with multiple ransomware groups. For example, if an actor provides a ransom address during\r\nnegotiations, often accompanied by self-attribution or branding, and a portion of the ransom is later transferred to\r\nan address known to be controlled by the LockBit operator, this indicates collaboration between groups.\r\nThis is not totally surprising, as such collaboration may occur when smaller ransomware groups with their own\r\nestablished identities partner with larger operations like LockBit. In these cases, although the attack may appear to\r\nbe carried out under one brand, the encryption tools, infrastructure, or negotiation support may actually originate\r\nfrom a different group. Within the leak, for example, we observed two affiliates introducing themselves as\r\nRansomHub and Hellcat.\r\nOn April 4, 2025, an affiliate operating under the alias BaleyBeach stated: “We were affiliates of RansomHub.\r\nNow RansomHub is closed, so we moved here. Existing companies (including yours) that we were dealing with\r\nstill have a chance to prevent their data leak.” Another reference to a different group occurred on March 20,\r\n2025, when an actor using the alias KoreyAllen made the following claim: “LockBit \u0026 HellCat encrypted your\r\nnetwork. You have 39 days to negotiate.”\r\nhttps://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/\r\nPage 5 of 10\n\nIdentifying potential affiliate-operator relationships on the blockchain is possible by analyzing transaction\r\npatterns, particularly profit-sharing splits, such as LockBit’s well-documented 80/20 model. When investigating\r\naddresses attributed to Christopher, we observe a consistent pattern in line with this model: 80% of the ransom\r\nproceeds go to the affiliate, while 20% is allocated to the operator. Below are several examples that illustrate this\r\nbehavior, starting from receiving ransom payment and tracing the subsequent distribution of funds.\r\nTo make our findings easier to follow, in the examples provided below, we will specify each address with its\r\ncorresponding source table (btc_addresses OR chats). As established earlier, the btc_addresses table relates to\r\naddresses attributed to the operator, while the chats table relates to addresses attributed to affiliates.\r\nExample 1\r\nThe actor initially demanded $80,000 and offered a 20% discount after the victim requested a reduction in the\r\nransom amount. The victim agreed to pay $50,000, after which the actor provided the Bitcoin address\r\n1PKzZhK35fvszaHBdyAwHTRtEoJwjR1ocD (chats table). The victim first conducted a test transaction of\r\n0.00010389 BTC (equivalent to $9.94 USD at the time of the transaction), transaction hash:\r\nafa41038f76e6616814e5c4d4bc7a4907d15d41dac5bf782af42dc2fbbc5c11f\r\nSubsequently, the victim proceeded with the full payment of 0.51889581 BTC (equivalent to $49,073.92 USD at\r\nthe time of the transaction), sent to the same address 1PKzZhK35fvszaHBdyAwHTRtEoJwjR1ocD on\r\nDecember 27, 2024. The transaction hash for this payment is:\r\nc3137291d4c673e21f282e346338568f26f7b7c3558c82392bca6d31c66166b2\r\nFigure 4: The image shows victims making a ransom payment in two transfers: a test transaction\r\nfollowed by the main payment\r\nSource: blockchair.com\r\nFurther investigation revealed that approximately 0.104 BTC (equivalent to $9,954 USD at the time of the\r\ntransaction), or roughly 20% of the total payment, was transferred to the Bitcoin address\r\nbc1qmydvt6xz9rkw36yvw2qztgxexz8dp40pxgklhq  listed in the btc_addresses table, where the funds remain\r\nas of May 9, 2025. Given the 20% share, this payment is likely a profit distribution to the LockBit operator.\r\nAnother portion of the ransomware proceeds in the amount of 0.41485 BTC (equivalent to 38,767 USD at the\r\ntime of transaction) was transferred to 3Ctfikx36y52Kvg8f8WSsFGu2gzax9ZXDu, and subsequently sent to the\r\nWhiteBIT exchange at bc1qng0keqn7cq6p8qdt4rjnzdxrygnzq7nd0pju8q\r\nhttps://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/\r\nPage 6 of 10\n\nFigure 5: The image shows the flow of ransom proceeds, distributed between the affiliate and the\r\noperator, with the affiliate’s portion eventually transferred to the WhiteBit exchange\r\nSource: Graph made through arkhm.com\r\nExample 2\r\nThe victim agreed to pay a ransom of $15,000 USD and initiated the process with a test transaction of 0.005214\r\nBTC (equivalent to $497.20 USD at the time of the transaction) on February 13, 2025. This amount was sent to\r\nthe Bitcoin address 1LZCdUhTZexZoRdS55wTcK1tAZrs8p7384 (chats table), which the actor had provided.\r\nThe transaction hash for this test payment is:\r\n64249c14cb6d2b78916f285259359a16c13cfd08635b1da53d5d7e715ae7487f. Following the test, the victim\r\nproceeded with the full ransom payment of 0.1512 BTC (equivalent to $14,514.89 USD at the time of the\r\ntransaction), sent to the same address 1LZCdUhTZexZoRdS55wTcK1tAZrs8p7384. The transaction hash for\r\nthe final payment is: 6558bf1c88795c00fad711453402e0df4fd3a33e72085e4c1e83f4a8c694bd3c.\r\nFigure 6: The image shows victims making a ransom payment in two transfers: a test transaction\r\nfollowed by the main payment\r\nSource: blockchair.com\r\nFurther investigation revealed that the actor transferred 0.03113 BTC (equivalent to $3,047 USD at the time of the\r\ntransaction), or approximately 20% of the total ransom payment, to the Bitcoin address\r\nbc1qv4j45knlkeazg0n0ymv3e3rpcv4gc8qqmrhp20 listed in the btc_addresses table. The transaction hash\r\nassociated with this transfer is: 9c5f019dfa5c474dfa265f62f1a9aa1aabb40e9c1a62c1b608d718619c233a35. This\r\nhttps://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/\r\nPage 7 of 10\n\ntransaction is likely a profit share with the LockBit operator, consistent with the 20% cut typically attributed to\r\nthe ransomware group’s revenue-sharing model. Another portion of the proceeds, totaling 0.1247 BTC (equivalent\r\nto $11,972 USD at the time of the transaction), was sent to 3Hmc4YJZbhJtjos9cMch6iNAMZQ63J2CY5, an\r\naddress identified as belonging to the KuCoin exchange.\r\nFigure 7: The image shows the flow of ransom proceeds, distributed between the affiliate and the\r\noperator, with the affiliate’s portion eventually transferred to the KuCoin exchange\r\nSource: Graph made through arkhm.com\r\nExample 3\r\nUpon agreeing to a $24,000 USD ransom payment, on February 16, 2025, the victim made two separate\r\npayments to the address 1BWbqn6xdFat3zLiaHPuFLqnZL7Q4obSKC (chats table), which was provided by\r\nthe actor.\r\nThe first payment was for 0.07 BTC (equivalent to $6,802.66 USD at the time of the transaction).\r\nTransaction hash: 2a02036ccd63dfa54ddd209b4e2839257d6b682489bda54f3cb9bcd70ebd6904\r\nThe second payment was for 0.175 BTC (equivalent to $17,006.67 USD at the time of the transaction).\r\nTransaction hash: 1bc3f4b04a1ad974eee10d711e71d526e835e0e14beedc50a889d35c30dfac2f\r\nFigure 8: The image shows a ransom payment made by the victim in two parts\r\nSource: blockchair.com\r\nFurther investigation revealed that 0.04621 BTC (equivalent to $4,510 USD at the time of the transaction), or\r\napproximately 20% of the total ransom payment, was sent to the Bitcoin address\r\nbc1q5xpf5anwuz75vhlc00g2ec6teu3zvud3axeqcw, which was also identified to be listed in the btc_addresses\r\ntable. This transaction is likely a profit share with the LockBit operator, consistent with the 20% correlating with\r\nhttps://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/\r\nPage 8 of 10\n\nthe group’s revenue-sharing model. Another portion of the ransom proceeds 0.198745 BTC (equivalent to $19,081\r\nUSD at the time of the transaction) was sent to 39NvyhFJwXUXwjjVTUXtXYVbWE1E7572DC, an address\r\nidentified as belonging to the KuCoin exchange.\r\nFigure 9: The image shows the flow of ransom proceeds, distributed between the affiliate and the\r\noperator, with the affiliate’s portion eventually transferred to the KuCoin  exchange\r\nAs demonstrated in all three examples, Christopher consistently transfers ransom proceeds directly to\r\ncryptocurrency exchanges such as KuCoin and WhiteBIT, almost immediately after receiving the funds. This\r\nbehavior suggests a very low level of operational security and minimal effort to obfuscate the transaction trail,\r\ncompared with sophisticated money-laundering tactics used by more experienced threat actors.\r\nAnother important observation emerges when analyzing the 20% operator share: surprisingly, none of these funds\r\nhave been moved. As of May 15, 2025, all three addresses attributed to the LockBit operator still hold their full\r\nbalances. At this time, we cannot provide a definitive explanation for this inactivity. The initial assumption was\r\nthat the relatively small ransom amounts were simply left for later withdrawal. However, we’ve observed similar\r\nbehavior even with significantly larger ransoms, which challenges that assumption.\r\nFor example, the address bc1q5tanumnzxuhk0vxkmaqvhqgnq6sf0855trrmjw, listed in the btc_addresses\r\ntable, was used to receive a ransom payment based on typical on-chain behavior. It is unclear whether the n\r\noperator collaborated with any outside affiliates or engaged in an attack, solely assuming that it might have been a\r\npurchased access. However, we are clearly seeing that the received funds are most likely a ransom payment. In\r\nsuch behavior of identifying a ransom payment, it is typical to observe the test transaction first, followed by the\r\nremaining payment. On April 30, 2025, the victim first made a test transaction of 0.0011 BTC (equivalent to\r\n$102.33 USD at the time), followed by a main payment of 4.22 BTC (equivalent to $396,699.53 USD at the time\r\nof the transaction). Yet, as of May 15, 2025, the balance of bc1q5tanumnzxuhk0vxkmaqvhqgnq6sf0855trrmjw\r\nremains untouched. This shows anomalous behavior, given that ransom payments are typically moved the same\r\nday or the following day in most ransomware operations.\r\nConclusion\r\nThe democratization of ransomware, its increasingly low barrier to entry, and collaboration between actors have\r\ncreated a far more complex landscape for investigation and attribution. While prevention remains the most critical\r\nline of defense, the unfortunate reality is that determined threat actors continue to find ways into victims’\r\nnetworks. Identifying evidence across multiple layers of criminal operations, from infrastructure to negotiation\r\nbehavior to on-chain activity, is essential for effectively combating ransomware.\r\nhttps://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/\r\nPage 9 of 10\n\nThat’s why tracking, tracing, and attributing individuals behind ransomware operations is equally vital. These\r\nactors often operate with a false sense of invincibility, but that illusion shatters the moment they are exposed.\r\nAttribution efforts must happen at both the entity level, such as identifying ransomware groups, and the individual\r\nlevel, targeting individuals within those groups. This leak of LockBit’s internal database provides valuable\r\nintelligence for ransomware investigations and significantly advances our efforts to map their illicit infrastructure,\r\nadding numerous new data points to the broader collection of intelligence.\r\nAnalyst1 is continuing to investigate LockBit and report on our findings.\r\nAbout Analyst1\r\nThreat intelligence teams often struggle to bridge the gap from insight to action. Analyst1 is the Orchestrated\r\nThreat Intelligence Platform designed to resolve this issue. It automatically organizes threat data, links it to your\r\nassets and vulnerabilities, and customizes views for different roles. Analyst1’s orchestration layer streamlines\r\nworkflows and automates reliable actions by integrating with SIEM, ticketing, and vulnerability management\r\nsystems. From Fortune 500 financial institutions to national security agencies, enterprises trust Analyst1 to unify\r\ntheir defenses, significantly reducing their response time from days to minutes.\r\nSource: https://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/\r\nhttps://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/" ], "report_names": [ "lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a602818a-34da-445f-9bac-715cc9b47a3d", "created_at": "2025-07-12T02:04:58.190857Z", "updated_at": "2026-04-10T02:00:03.850831Z", "deleted_at": null, "main_name": "GOLD PUMPKIN", "aliases": [ "HellCat" ], "source_name": "Secureworks:GOLD PUMPKIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434327, "ts_updated_at": 1775791900, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32c5b5cf7e1bebd79f05a69fe817146a7544fa21.pdf", "text": "https://archive.orkl.eu/32c5b5cf7e1bebd79f05a69fe817146a7544fa21.txt", "img": "https://archive.orkl.eu/32c5b5cf7e1bebd79f05a69fe817146a7544fa21.jpg" } }