{
	"id": "90cf6083-6aba-4f19-b112-b21ae7c409f3",
	"created_at": "2026-04-06T00:14:55.575814Z",
	"updated_at": "2026-04-10T13:11:42.997077Z",
	"deleted_at": null,
	"sha1_hash": "6d066dfe6a6b4f53a0ed7ff3c95870f467c45742",
	"title": "Resecurity | LockBit 3.0’s Bungled Comeback Highlights the Undying Risk of Torrent-Based Data Leakage",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4102401,
	"plain_text": "Resecurity | LockBit 3.0’s Bungled Comeback Highlights the\r\nUndying Risk of Torrent-Based Data Leakage\r\nPublished: 2024-03-04 · Archived: 2026-04-05 14:23:12 UTC\r\nIn late February, the beleaguered LockBit 3.0 ransomware group threatened to release court documents related to\r\nformer U.S. President Donald Trump, which were compromised in the January 29 hack of Fulton County in\r\nGeorgia, unless the county paid a ransom by March 2. Notably, this threat immediately proceeded Operation\r\nCronos, a major international law enforcement takedown that dismantled and vandalized LockBit 3.0’s online\r\ninfrastructure and victim-shaming website on February 20.\r\nLockBit 3.0 quickly moved to restore their data leak site (DLS) and posted a long “rambling” statement in\r\nresponse to the takedown. The group alleges that law enforcement compromised their previous Dark Web DLS by\r\nexploiting a vulnerability in the PHP programming language, a common tool for website development. But the\r\nransomware gang appears to have been making false claims regarding their post-Cronos possession of sensitive\r\nFulton County Court data. As for the other victims LockBit 3.0 listed on their restored DLS, data associated with\r\nthose postings appears to be recycled files from previous breaches. LockBit 3.0 ultimately adjusted the Fulton\r\nCounty ransom-payment deadline to February 29 and removed the listing from their DLS the same day, claiming\r\nthe county had paid.\r\nHowever, Fulton County officials denied ever paying a ransom. Beyond the reputational damage LockBit\r\ninflicted on its own organization with their presumed bluff about their resurgence and other empty threats, the\r\ngroup’s leadership has recently been besieged by claims of fraud and breach of contract by their affiliates.\r\nSpecifically, the group’s infamous leader LockBitSupp has recently been banned from two high-authority Dark\r\nWeb forums, XSS and Exploit, and is facing similar allegations of scamming affiliates on RAMP, their last\r\nremaining cybercrime-forum haven. While LockBitSupp battles to preserve their underground reputation and\r\ntheir ransomware-as-a-service (RaaS) operation in general, law enforcement agencies investigating the LockBit\r\n3.0 RaaS have noted that the gang maintains a broad network of affiliates.\r\nDespite wide interest in the unfolding LockBit 3.0 comeback saga, this Resecurity report will cover a unique\r\ntechnical feature related to the gang’s operating model, namely LockBit 3.0’s use of Peer-to-Peer (P2P) platforms\r\nto disseminate data leaks through Torrent files. But before we dive into LockBit 3.0’s P2P data-sharing schemes\r\nand key audience segments believed to be accessing their torrent links, Resecurity will provide some recent\r\nbackground on the gang’s over-hyped “comeback.”\r\nLockBitSupp’s Crisis-PR Bluster\r\nIn their rebuttal to the Cronos takedown, LockBitSupp remained in character and taunted the FBI, boasting: “The\r\nFBI states that my income is over 100 million dollars, this is true, I am very happy that I deleted chats with very\r\nlarge payouts, now I will delete more often and small payouts too. These numbers show that I am on the right\r\ntrack, that even if I make mistakes it doesn't stop me and I correct my mistakes and keep making money. This\r\nhttps://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage\r\nPage 1 of 10\n\nshows that no hack from the FBI can stop a business from thriving, because what doesn't kill me makes me\r\nstronger.”\r\nLockBitSupp also claimed the court data acquired in the Fulton County ransomware breach had the potential to\r\n“affect the upcoming US election” – a move that likely constitutes the first time a high-profile ransomware actor\r\nhas threatened a capability of this nature. Nevertheless, the boast appears to be completely false at this point,\r\nseeing as they no longer seem to have access to whatever Fulton County Court data their affiliates managed to\r\nseize.\r\nIn addition to their published response to the FBI, LockBit 3.0 also established a new TOR DLS showcasing a\r\nlimited number of purported victims and their corresponding stolen data. However, virtually all these victim data\r\nsets appear to have been backdated. At this point, the gang appears to be recycling old data leaks to generate hype\r\nabout their resilience in the face of global law enforcement intervention. Below are some screenshots of LockBit\r\n3.0’s purported victim listings from March 1 and March 2.\r\nOn March 2, 2024, Lockbit 3.0 claimed to publish new data leaks from various victims.\r\nhttps://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage\r\nPage 2 of 10\n\nHowever, none of these victims saw any new information disclosed, except for additional file listings, as was the\r\ncase with Air Albania:\r\nIn some instances, victims like Boeing, which was slated for a March 2 publication, had actually been published\r\nmonths earlier.\r\nhttps://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage\r\nPage 3 of 10\n\nIn reality, Lockbit 3.0 had published Boeing data as far back as October 27, 2023, with the files themselves being\r\ndated October 22, 2023.\r\nThe recent update displayed this victim listing with a March 2 ransom deadline. \r\nHowever, there were only two new files uploaded for the Boeing listing, with both additions dated March 1, 2024.\r\nhttps://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage\r\nPage 4 of 10\n\nThis pattern of backdating is also evident in many of LockBit’s previous leaks. As of now, the group has\r\nannounced several new leaks with a projected ransom deadline/publication date of March 12. It remains uncertain\r\nwhether these new leaks will actually materialize or if the data will be recycled from previous breaches.\r\nNevertheless, the LockBit 3.0 gang want the world to believe that they remain active and operational.\r\nP2P Communications and Torrents\r\nMore noteworthy than LockBit 3.0’s ongoing crisis-PR offensive is the group’s use of P2P platforms to\r\ndisseminate data leaks via torrent files. Why is this tactic significant? Firstly, even if the group's infrastructure is\r\npartially disrupted, RaaS operators can make stolen data accessible to a wide audience via decentralized torrent\r\nnetworks. Once downloaded, users in possession of these files automatically begin seeding them, meaning they\r\nbecome peer nodes in sharing this data within the torrent network. People who download these torrent-based\r\nransomware links effectively become active participants in the data leak, just like users sharing pirated movies or\r\nmusic.\r\nStopping this activity poses a significant challenge, like the difficulty the music, film, and TV industries face in\r\ncombating content piracy through torrent trackers. Often overlooked is the fact that Lockbit 3.0 was one of the\r\nfirst ransomware groups to start incorporating leaked data into torrent files for download and uploading these\r\narchives to TOR.\r\nAs of today, nearly 20 victim organizations listed on LockBit 3.0's Dark Web DLS are associated with torrent\r\nlinks. These victims encompass government organizations from Mexico, defense contractors, and leading law\r\nfirms.\r\nResecurity has acquired all torrent files added before and after the March 2nd update, with the goal of analyzing\r\nP2P communications related to leaked data, in addition to TOR network connections.\r\nEach of the torrent files we analyzed contained a link to a server with a hidden service on the TOR network,\r\nspecifically indicating the sources for download:\r\nhttps://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage\r\nPage 5 of 10\n\nhttp://3bqptmf5ergw7mgj6jalvn5ohh2ubhssestvrwfdoubaz7nkrix4jcqd.onion:6969/announce\r\nWe set up qBittorrent with TOR support (as SOCKS5) and observed that there were consistently three stable seeds\r\navailable for nearly every torrent file shared by the group.\r\nDuring this process, we logged a significant number of peers originating from various countries. In some cases,\r\nthese peers used TOR as a relay.\r\nOnce Resecurity analysts downloaded these files, we became a LockBit torrent file-seeder. This enabled\r\nResecurity to configure a stand to track LockBit-curious peer connections.\r\nhttps://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage\r\nPage 6 of 10\n\nFollowing the announcement of the March 2nd leak, the number of LockBit-curious peers increased\r\nexponentially. This surge suggests a heightened interest from underground actors connected to Lockbit 3.0's\r\nactivities, including their former affiliates, as well as data brokers eager to obtain stolen records. This group isn't\r\nlimited to cybercriminals; it also encompasses industry competitors and corporate intelligence firms that are keen\r\nto opportunistically leverage the leaked data to their advantage.\r\nLockbit 3.0 is not the only group to have operationalized torrent file sharing. Other prominent RaaS groups that\r\nhave employed this feature include Cl0P and Ransomed.VC, the latter of which we spotlighted last September\r\nfor their attacks on major Japanese enterprises. At the time our Ransomed.VC report was published, this group\r\nwas also distributing a torrent file that contained data from at least two victims. The gang used this torrent method\r\nas a primary delivery channel instead of TOR. Despite Ransomed.VC’s purported disbandment in November of\r\nlast year, the torrents containing this stolen data remain accessible to people who have the download link.\r\nWho Were the Peers?\r\nResecurity logged over 450 unique peers accessing leaked LockBit 3.0 data via torrents. Included in these logs\r\nwere the torrent peers’ IP addresses and ports.\r\nNotable hosts:\r\n- the host with an IP address originating from China linked to extensive, malicious network activity\r\n- the host with an IP address originating from Iran tied to one of the country’s scientific organizations\r\n- the host with an IP address originating from subnet related to a business consulting firm\r\nWhat Made These Deanonymizations Possible?\r\nAccessing torrent links via TOR is widely recognized as a poor security practice. This concern was first flagged\r\nby security researchers nearly 15 years ago.\r\nhttps://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage\r\nPage 7 of 10\n\nAccording to https://blog.torproject.org/bittorrent-over-tor-isnt-good-idea/:\r\nThere are three pieces to the attack (or three separate attacks that build on each other, if you prefer).\r\nThe first attack is on people who configure their Bittorrent application to proxy their tracker traffic through Tor.\r\nThese people are hoping to keep their IP address secret from somebody looking over the list of peers at the\r\ntracker. The problem is that several popular Bittorrent clients (the authors call out uTorrent in particular, and I\r\nthink Vuze does it too) just ignore their socks proxy setting in this case. Choosing to ignore the proxy setting is\r\nunderstandable, since modern tracker designs use the UDP protocol for communication, and socks proxies such\r\nas Tor only support the TCP protocol -- so the developers of these applications had a choice between \"make it\r\nwork even when the user sets a proxy that can't be used\" and \"make it mysteriously fail and frustrate the user\".\r\nThe result is that the Bittorrent applications made a different security decision than some of their users expected,\r\nand now it's biting the users.\r\nThe attack is actually worse than that: apparently in some cases uTorrent, BitSpirit, and libTorrent simply write\r\nyour IP address directly into the information they send to the tracker and/or to other peers. Tor is doing its job:\r\nTor is _anonymously_ sending your IP address to the tracker or peer. Nobody knows where you're sending your IP\r\naddress from. But that probably isn't what you wanted your Bittorrent client to send.\r\nThat was the first attack. The second attack builds on the first one to go after Bittorrent users that proxy the rest of\r\ntheir Bittorrent traffic over Tor also: it aims to let an attacking peer (as opposed to tracker) identify you. It turns\r\nout that the Bittorrent protocol, at least as implemented by these popular Bittorrent applications, picks a random\r\nport to listen on, and it tells that random port to the tracker as well as to each peer it interacts with. Because of\r\nthe first attack above, the tracker learns both your real IP address and also the random port your client chose. So\r\nif your uTorrent client picks 50344 as its port, and then anonymously (via Tor) talks to some other peer, that other\r\npeer can go to the tracker, look for everybody who published to the tracker listing port 50344 (with high\r\nprobability there's only one), and voila, the other peer learns your real IP address. As a bonus, if the Bittorrent\r\npeer communications aren't encrypted, the Tor exit relay you pick can also watch the traffic and do the attack.\r\nThat's the second attack. Combined, they present a variety of reasons why running any Bittorrent traffic over Tor\r\nisn't going to get you the privacy that you might want.\r\nhttps://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage\r\nPage 8 of 10\n\nSo what's the fix? There are two answers here. The first answer is \"don't run Bittorrent over Tor\". We've been\r\nsaying for years not to run Bittorrent over Tor, because the Tor network can't handle the load; perhaps these\r\nattacks will convince more people to listen. The second answer is that if you want your Bittorrent client to actually\r\nprovide privacy when using a proxy, you need to get the application and protocol developers to fix their\r\napplications and protocols. Tor can't keep you safe if your applications leak your identity.\r\nThe third attack from their paper is where things get interesting. For efficiency, Tor puts multiple application\r\nstreams over each circuit. This approach improves efficiency because we don't have to waste time and overhead\r\nmaking a new circuit for every tiny picture on the aol.com frontpage, and it improves anonymity because every\r\ntime you build a new path through the Tor network, you increase the odds that one of the paths you've built is\r\nobservable by an attacker. But the downside is that exit relays can build short snapshots of user profiles based on\r\nall the streams they see coming out of a given circuit. If one of those streams identifies the user, the exit relay\r\nknows that the rest of those streams belong to that user too.\r\nThe result? If you're using Bittorrent over Tor, and you're _also_ browsing the web over Tor at the same time, then\r\nthe above attacks allow an attacking exit relay to break the anonymity of some of your web traffic.\r\nThat said, downloading data from torrent resources that involve the TOR network carries a substantial risk of\r\ndeanonymization for end users. This applies equally to cybercriminals and other underground figures interested in\r\nLockbit 3.0's data. Indirectly or directly, they may become targets of surveillance, making this access gateway\r\nhighly inadvisable. However, for research purposes, this transparency can be advantageous. By analyzing peers\r\ninterested in LockBit 3.0’s data, it’s possible to identify high-risk hosts accessing it and potentially glean valuable\r\ncyber-threat intelligence (CTI) insights.\r\nOur approach is derived from the anti-piracy domain, particularly from the tactics technology companies in this\r\nspace use to pinpoint IP addresses involved in the illegal sharing of copyright-protected intellectual property. A\r\nnotable success story in this area was when two leading anti-piracy companies involved in the U.S. Copyright\r\nAlert System (CAS) scheme, BayTSP and Peer Media, monitored thousands of torrent files back in 2012. As\r\nreported by TorrentFreak, anti-piracy firms BayTSP and Peer Media significantly ramped up their activities,\r\neffectively surveilling the download habits of BitTorrent users to gather statistics and insights.\r\n“As for the number of torrents that are being watched, over a period of a month BayTSP connected to 3,657\r\ntorrent files and Peer Media to 3,752 torrents. Although ScanEye tracks hundreds of thousands of torrents, these\r\nlists are not extensive,” reported TorrentFreak. For years companies such as BayTSP and Peer Media worked with\r\nmovie studios and record labels to track the IP addresses of torrent file-downloaders, so violators could be\r\nreported to their Internet providers. Beyond two “educational” warning notices, CAS operated under a six-strike\r\nsystem where repeat violators faced an escalating set of punishments under the anti-piracy regime, including\r\ntemporary Internet disconnects and legal action.\r\nIn fact, the Motion Picture Association (MPA) and the Recording Industry Association of America ( RIAA) used\r\nthe collected data to sue egregious file-sharers. However, The CAS system was discontinued in 2017, as the\r\nentertainment industry has devised new methods of combatting online piracy.\r\nConclusion\r\nhttps://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage\r\nPage 9 of 10\n\nThe dilemma related to torrents and victim data leaked by LockBit 3.0 persists even after the Cronos disruption.\r\nThe main challenge is deterring actors who have already downloaded the data from seeding it. This task is\r\ncomplex, particularly when it comes to deterring actors operating in politically adversarial jurisdictions or where\r\nthe rule of law is weak. These countries could become \"safe havens\" for establishing enduring cybercriminal\r\ntorrent trackers, potentially replacing or at least supplementing the TOR network. Beyond the Dark Web, Data\r\nLeak Sites might evolve into Data Leak Torrents, offering enhanced privacy and accessibility, thereby facilitating\r\nthe distribution of stolen data. This scenario presents a novel challenge for the information-security industry that\r\nrequires advanced preparation and planning. Thanks to LockBit 3.0 and their “intrepid” leader, Resecurity has laid\r\nthe initial groundwork for confronting this emerging threat.\r\nSource: https://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage\r\nhttps://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.resecurity.com/blog/article/lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage"
	],
	"report_names": [
		"lockbit-30s-bungled-comeback-highlights-the-undying-risk-of-torrent-based-data-leakage"
	],
	"threat_actors": [
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-10T02:00:04.752608Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "adf68b66-8287-44de-9cdc-3277508a8126",
			"created_at": "2023-11-05T02:00:08.082461Z",
			"updated_at": "2026-04-10T02:00:03.400457Z",
			"deleted_at": null,
			"main_name": "RansomVC",
			"aliases": [
				"Ransomed.vc"
			],
			"source_name": "MISPGALAXY:RansomVC",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434495,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d066dfe6a6b4f53a0ed7ff3c95870f467c45742.pdf",
		"text": "https://archive.orkl.eu/6d066dfe6a6b4f53a0ed7ff3c95870f467c45742.txt",
		"img": "https://archive.orkl.eu/6d066dfe6a6b4f53a0ed7ff3c95870f467c45742.jpg"
	}
}