Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

LockBit Ransomware Admin Panel Hacked, Leaks Reveal Inside Details

Private messages, Bitcoin addresses, victim data, and attacker information were leaked after someone hacked a LockBit admin panel.

LockBit ransomware hacked

Information that can be highly valuable to law enforcement and the cybersecurity community was leaked after someone hacked into an administration panel used by the LockBit ransomware operation.

The hack came to light on May 7, when a domain associated with a LockBit administration panel was defaced to display a message that read “Don’t do crime, crime is bad xoxo from Prague”. The defaced page also included a link to an archive file containing information taken from the compromised server.

The leaked data includes private messages between LockBit affiliates and victims, Bitcoin wallet addresses, affiliate accounts, details about attacks, and information on malware and infrastructure.

Several cybersecurity experts have analyzed the leaked data. Christiaan Beek, senior director of threat analytics at Rapid7, noted that the Bitcoin addresses could be useful to law enforcement.

In addition, Luke Donovan, head of threat intelligence at Searchlight Cyber, explained how the leaked data could be valuable for the cybersecurity community. 

The expert said the user data included in the leak likely pertains to affiliates or administrators of the ransomware operation. Searchlight Cyber has identified 76 records, including usernames and passwords, in the published data. 

“This user data will prove to be valuable for cybersecurity researchers, as it allows us to learn more about the affiliates of LockBit and how they operate. For example, within those 76 users, 22 users have TOX IDs associated with them, which is a messaging service popular in the hacking community,” Donovan said.

He added, “These TOX IDs have allowed us to associate three of the leaked users with aliases on hacking forums, who use the same TOX IDs. By analysing their conversations on hacking forums we’ll be able to learn more about the group, for example the types of access they buy to hack organizations.”

Advertisement. Scroll to continue reading.

Searchlight Cyber has identified 208 conversations between LockBit affiliates and victims. The messages, which range between December 2024 and April 2025, could be “valuable for learning more about how LockBit’s affiliates negotiate with their victims”.

Indeed, Rapid7’s Beek pointed out that the leaked chats show how aggressive LockBit affiliates were during ransom negotiations.

“In some cases, victims were pressured to pay just a few thousand dollars. In others, the group demanded much more: $50,000, $60,000, or even $100,000,” Beek said.

As for who is behind the LockBit hack, Searchlight Cyber’s Donovan pointed out that the defacement message is the same as the message displayed last month on the hacked website of a different ransomware group, Everest

“While we cannot be certain at this stage, this does suggest that the same actor or group was behind the hack on both of the sites and implies that this data leak is the result of infighting among the cybercriminal community,” the expert said.

A statement posted on LockBit’s leak website on May 8 confirmed the compromise of an administration panel, but downplayed the impact, saying that decryptors or sensitive data from victims were not impacted. 

LockBitSupp, the mastermind behind the LockBit operation, who authorities say is Russian national Dmitry Yuryevich Khoroshev, said he is willing to pay for information on the identity of the individual who carried out the attack. 

Law enforcement agencies worldwide have been taking action to disrupt LockBit, but despite delivering a major blow last year, the cybercrime operation is still active and continues to pose a threat to organizations.

Related: Black Basta Leak Offers Glimpse Into Group’s Inner Workings

Related: LockBit Ransomware Developer Arrested in Israel at Request of US

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Cloud and cybersecurity MSP Ekco has appointed Ben Savage as UK CEO.

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.