LockBit Ransomware Hack: What Caused the Data Breach?

In a significant blow to the notorious LockBit ransomware gang, a massive hack exposed sensitive internal data, including details of 60,000 Bitcoin addresses. This data breach follows recent law enforcement efforts to disrupt the gang’s operations, potentially crippling their ability to carry out further crimes.

Notably, the exposed data includes negotiation chats, admin credentials, and wallet addresses. These critical documents are now publicly available, providing insights into LockBit’s operations.

LockBit Ransomware Gang Data Breach: Details

LockBit’s dark web affiliate panel was recently compromised, resulting in a complete defacement and exposure of sensitive data. The incident was first uncovered by the threat actor, Rey, who wrote on X, “LockBit just got pwned.” Following the breach, the admin panels show a message instead of the usual login screen:

Don’t do crime. CRIME IS BAD. xoxo from Prague”
Along with this message is a link to a downloadable archive: paneldb_dump.zip, which contains a MySQL dump of LockBit’s affiliate portal.

Inside the LockBit Ransomware Database

Notably, the breached database contains 20 tables that reveal the platform’s operations. It includes about 60,000 unique Bitcoin addresses, individual builds created by affiliates for attacks, and configurations used for each build, such as specific servers to skip or files to encrypt. In addition, the data unveils negotiation messages between the LockBit gang and victims, offering a glimpse into their tactics and interactions. Thus, the LockBit Ransomware hack helps an investigator to better understand LockBit’s inner workings.

The incident is unfolding at a time when the crypto market experienced a significant uptrend, mainly driven by Trump’s US-UK trade deal announcement.

What Caused the Hack?

Security researcher Michael Gillespie posited that the data breach occurred due to LockBit ransomware’s lack of proper security measures. The analyst identified that the passwords were kept in plain text, unencrypted, revealing lax security practices, which is ironic given their own malicious activities. This incident follows increasing crypto scams, which forced Australian regulators to shut down 90 companies allegedly linked to pig butchering scams.

Though the identity of the breach’s perpetrator and the method used are still unclear, the similar defacement message used in the Everest ransomware breach suggests a possible link.