HACKAN A LOCKBIT: Negotiations are filtered, 59 thousand BTC addresses and 4,442 chats of victims reveal

By Canuto

The Lockbit Ransomware Group faces one of the greatest leaks in its history after an attack on its panels in the Dark Web, where thousands of Bitcoin addresses, private and credential communications were exposed. This gap not only represents a blow to Lockbit’s reputation, but also a warning about the level of insecurity that even cyber criminals can face in their own land.
***

• HacKean Lockbit panels and filter more than 59 thousand Bitcoin addresses and 4,442 chats.
• Sensitive information of affiliates and internal strategies of the Ransomware Group is exposed.
• The gap represents a reputational blow to Lockbit, after previous police operations.

---

In recent years, the threat of ransomware bands has established itself as one of the greatest challenges for global cybersecurity. Lockbit, known for its sophistication and aggressive digital extortion strategy, has made news periodically for its attacks on companies and institutions around the world, demanding milonariums usually called cryptocurrencies as BTC.

This group operates under the affiliate model, allowing various actors to use their software to launch attacks, share profits and enrich their own criminal ecosystem. After surviving previous demolition by police bodies, Lockbit seemed unwavering, so far.

However, in a new turn, Lockbit’s own infrastructure was violated, exposing crucial information and what could be the group’s Achilles heel.

THE HACKEO: How was Lockbit exposed

On May 7, 2025, the BleepingCompter medium stressed that Lockbit affiliate panels in the Dark Web had been hacked and vandalized. The sites showed the message: “Don’t commit crimes The crime is bad Xoxo from Prague ”, accompanied by a link to download a file called“ Paneldb_dump.zip ”.

This file, analyzed by Bleepingcomputer experts, corresponds to a dump (Dump) of the Mysql database of the Lockbit Affiliate Panel, evidence that administrative access was total and forceful. It is estimated that the database was extracted on April 29, 2025, so it contains recent information on the band’s operations.

The methods or identities associated with the attack are not known precisely, but the vandalism message was identical to that recently seen in another gap against Everest Ransomware, which suggests the possible implication of the same actors or a growing trend of attacks among criminals.

What leaked?: Technical and human details

MySQL dump includes twenty relevant tables, many focused on Lockbit’s operational and financial information. Among the most prominent:

• A “BTC_addresses” table with 59,975 Unique Bitcoin addresses, possible trail of illicit payments or attempts at financial anonymity.
• The “Builds” table details each individual compilation of the ransomware used in attacks, including public keys and, in some cases, names of target companies.
• “Builds_configurations” shows specific adjustments to avoid ESXI servers or select which files encrypt during personalized attacks.
• The technical jewel: “chats”, a table that exposes 4.442 Negotiation messages between Lockbit and victims from December 2024 to April 29, 2025.
• “Users” reveals 75 administrators and affiliate accounts, with unusually stored passwords in flat text, such as “Weekendlover69” or “LockBitProuud231”.

Michael Gillespie, who reviewed the user table, corroborated that even passwords were visible without encrypting, something unheard of advanced cybercrime.

On the other hand, the “Lockbitsup” operator confirmed the gap in a conversation through Tox, although it remained important to mention that “private keys were not leaked or loss of major sensitive information”.

Filtration implications for the ransomware underworld

While the magnitude of the reputational damage to Lockbit is evident, it is still premature to determine if this hack represents the end for the group. Already in 2024, the International Police Operation Cronos managed to seize 34 servers related to Lockbit, recover 1,000 keys of decryptation and obtain key information about their operations. However, the group managed to restore after that blow.

This new gap exposes, involuntarily, the vulnerability of the ransomware bands against internal attacks from other criminal actors or even intelligence forces. Analysts postulate that these types of leaks encourage distrust between affiliates and weaken the sense of invulnerability of these organizations.

In addition, being able to access chat records and financial transactions could open the door to investigations and traces to founders or affiliates, as well as identify victims and forms of negotiation.

Context: An increasing trend or a vendetta?

The filtration against Lockbit adds to previous cases of exposure of data from bands such as Conti, Black Enough and Everest, indicating a boom in attacks directed against the same ransomware groups, either for economic reasons, rivalry, search for power or even by undercover state agents.

For cybersecurity defenders and blockchain industry, these episodes show the importance of best practices in data administration, encryption and protection of credentials, ironizing that even criminals fall into basic errors such as password storage in flat text.

The long -term impact of this filtration is still to be seen, but demonstrates that the Dark Web and cybercrime, far from being monolithic structures, are volatile ecosystems where the roles of victims and perpetrators can be reversed from one day to another.

---

Original image of Diariobitcoin, created with artificial intelligence, for free use, licensed under public domain.

This article was written by an AI content editor and reviewed by a human editor to guarantee quality and precision.

WARNING: Diariobitcoin offers informative and educational content on various topics, including cryptocurrencies, AI, technology and regulations. We do not provide financial advice. Cryptactive investments are high risk and may not be adequate for all. Investigate, consult an expert and verify the applicable legislation before investing. I could lose all its capital.