LockBit ransomware group hit by data breach, affiliate panel hacked and database dump leaked

In a surprising turn of events, the notorious LockBit ransomware group has itself become the victim of a data breach, following a successful hack of its dark web affiliate management panels. Visitors to the group’s backend pages were greeted with a stark message: “Don’t commit crimes. Crimes are bad. Greetings from Prague.” The message also included a download link to a zip file named paneldb_dump.zip, containing what appears to be a MySQL database dump of LockBit’s affiliate panel.

The breach was first identified by threat actor Rey, who discovered that the archive file includes a full SQL dump of the affiliate system. An analysis by cybersecurity outlet BleepingComputer confirmed that the dump contains 20 database tables, revealing detailed insights into the inner workings of LockBit’s operations.

Among the most revealing data points are nearly 60,000 unique Bitcoin addresses, likely used for ransom payments. The database also includes a table cataloging malware builds created by affiliates for use in cyberattacks. These records sometimes contain the names of targeted organizations, along with specific configuration details such as instructions to avoid encrypting particular ESXi servers or to exclude certain files.

One especially notable section of the dump contains 4,442 messages from negotiations between LockBit and its victims, spanning from December 19, 2024, to April 29, 2025. Another table lists 75 users with access to the management panel, including both administrators and affiliates. According to security expert Michael Gillespie, the passwords stored in the database were not encrypted and included examples such as “Weekendlover69,” “MovingBricks69420,” and “Lockbitproud231.”

LockBit’s primary operator, known as LockBitSupp, confirmed to Rey via the encrypted messaging platform Tox that the leak is genuine. LockBitSupp claimed that while the breach is real, no private keys or critical operational data were compromised. Analysis of the file timestamps and negotiation logs suggests that the database dump was created on April 29, 2025.

While the identity of the attackers remains unclear, the defacement message displayed on LockBit’s hacked panel mirrors one recently left on the dark web site of the Everest ransomware group, raising speculation about a possible connection. Technical details from the SQL dump indicate that the compromised server was running PHP version 8.1.2, which is known to contain a critical remote code execution vulnerability (CVE-2024-4577) that is actively being exploited in the wild.

This breach adds to a growing list of setbacks for LockBit. In 2024, the group was targeted in Operation Cronos, a multinational law enforcement effort that led to the seizure of 34 servers, the recovery of stolen data, cryptocurrency wallets, over 1,000 decryption keys, and a version of the affiliate management panel. Despite managing to regroup and resume operations after the crackdown, this latest incident marks a significant new blow to the group’s credibility and security posture.