Information that can be highly valuable to law enforcement and the cybersecurity community was leaked after someone hacked into an administration panel used by the LockBit ransomware operation.
The hack came to light on May 7, when a domain associated with a LockBit administration panel was defaced to display a message that read “Don’t do crime, crime is bad xoxo from Prague”. The defaced page also included a link to an archive file containing information taken from the compromised server.
The leaked data includes private messages between LockBit affiliates and victims, Bitcoin wallet addresses, affiliate accounts, details about attacks, and information on malware and infrastructure.
Several cybersecurity experts have analyzed the leaked data. Christiaan Beek, senior director of threat analytics at Rapid7, noted that the Bitcoin addresses could be useful to law enforcement.
In addition, Luke Donovan, head of threat intelligence at Searchlight Cyber, explained how the leaked data could be valuable for the cybersecurity community.
The expert said the user data included in the leak likely pertains to affiliates or administrators of the ransomware operation. Searchlight Cyber has identified 76 records, including usernames and passwords, in the published data.
“This user data will prove to be valuable for cybersecurity researchers, as it allows us to learn more about the affiliates of LockBit and how they operate. For example, within those 76 users, 22 users have TOX IDs associated with them, which is a messaging service popular in the hacking community,” Donovan said.
He added, “These TOX IDs have allowed us to associate three of the leaked users with aliases on hacking forums, who use the same TOX IDs. By analysing their conversations on hacking forums we’ll be able to learn more about the group, for example the types of access they buy to hack organizations.”
Searchlight Cyber has identified 208 conversations between LockBit affiliates and victims. The messages, which range between December 2024 and April 2025, could be “valuable for learning more about how LockBit’s affiliates negotiate with their victims”.
Indeed, Rapid7’s Beek pointed out that the leaked chats show how aggressive LockBit affiliates were during ransom negotiations.
“In some cases, victims were pressured to pay just a few thousand dollars. In others, the group demanded much more: $50,000, $60,000, or even $100,000,” Beek said.
As for who is behind the LockBit hack, Searchlight Cyber’s Donovan pointed out that the defacement message is the same as the message displayed last month on the hacked website of a different ransomware group, Everest.
“While we cannot be certain at this stage, this does suggest that the same actor or group was behind the hack on both of the sites and implies that this data leak is the result of infighting among the cybercriminal community,” the expert said.
A statement posted on LockBit’s leak website on May 8 confirmed the compromise of an administration panel, but downplayed the impact, saying that decryptors or sensitive data from victims were not impacted.
LockBitSupp, the mastermind behind the LockBit operation, who authorities say is Russian national Dmitry Yuryevich Khoroshev, said he is willing to pay for information on the identity of the individual who carried out the attack.
Law enforcement agencies worldwide have been taking action to disrupt LockBit, but despite delivering a major blow last year, the cybercrime operation is still active and continues to pose a threat to organizations.
Related: Black Basta Leak Offers Glimpse Into Group’s Inner Workings
Related: LockBit Ransomware Developer Arrested in Israel at Request of US
