HQ/EMEAFind out how we can help your business
One of the most significant breaches of a cybercriminal group to date was executed against the LockBit ransomware gang.
The group’s dark web infrastructure was compromised by a lone actor using the alias “xoxo” from Prague. The actor defaced their affiliate panels with the message: “Don’t do crime; crime is bad. Xoxo from Prague.”
The breach exposed highly sensitive backend data from LockBit’s operations, marking a significant blow to one of the most notorious ransomware-as-a-service (RaaS) groups active today. The leaked assets include:
- Internal chat logs between LockBit operators and victims
- 4,442 negotiation transcripts dating from December 2024 to April 2025
- Affiliate wallet addresses and 59,975 Bitcoin payment destinations
- Private decryption keys, ransomware payload metadata, and build configurations
- Panel login attempts, routing paths, and configuration details
- Names of targeted companies and technical artefacts of ransomware deployment
A SQL dump file of the group’s MySQL database, paneldb_dump.sql, was made publicly accessible and allegedly hosted on a GitHub repository.
LockBit ransomware confirms the legitimacy of the hack.
The LockBit ransomware organisation’s public blog—still accessible—published a Russian statement acknowledging the hack. The group clarified that the breach involved a “lite panel” with public auto-registration and insisted that no company data or private keys had been compromised. However, this contrasts with forensic reports highlighting leaked decryption keys and internal tools.
LockBitSupp, the group’s primary spokesperson, confirmed the attack and offered a bounty for verified information about “xoxo.” The gang also reported investigating the incident and rebuilding its compromised infrastructure.
This leak delivers unprecedented insight into the internal workings of a major ransomware operation. Analysts, incident responders, and law enforcement agencies now have access to valuable intelligence, including:
- Ransom negotiation techniques
- Deployment and encryption behaviours
- Affiliate identities and operational roles
- Cryptocurrency tracing possibilities through exposed Bitcoin addresses
The leak also lists 75 affiliates and administrators whose credentials, many in plaintext, may allow tracking of individual operatives.
Organisations previously targeted by LockBit or those operating in high-risk sectors should take immediate steps to strengthen their defences. This includes integrating leaked indicators such as Bitcoin wallet addresses, and file hashes into existing SIEM and threat intelligence platforms to improve detection capabilities.
Security teams should also reassess historical LockBit-related incidents for signs of wallet reuse or recurring encryption patterns that may now be easier to trace.
Given LockBit’s backend code’s public exposure, monitoring for potential copycat campaigns that may replicate the group’s tactics, techniques, and procedures (TTPs) is crucial.
Entities that suspect prior compromise should coordinate promptly with CERTs and law enforcement for guidance and support.
Finally, caution is advised when handling leaked data, especially content shared through open repositories, as it may contain malware or raise legal and ethical concerns.
