Cyberattack on LockBit Ransomware Group Resulted in Operations Database Exposure

by

The LockBit ransomware group became very active, with numerous attacks launched, but it encountered a hacking and data leak incident. An unidentified hacker accessed the control panel employed by the group’s affiliates, left the message “Don’t do crime CRIME is BAD xoxo from Prague,” and included a URL for an SQL database.

The database did not contain protected health information or PHI. It contains sensitive internal operations information between December 2024 and April 2025. There is a record of 75 affiliates and administrators who utilized the affiliate panel and their plaintext passwords. The following details are included in the database as well: profiles of victims, projected income, domains, and 4,492 conversations between LockBit and its victims concerning ransom talks; 59,975 Bitcoin addresses; customized ransomware builds utilized by affiliates for their attacks; encryption references, and a listing of the group’s victims from the beginning of December 2024 to the end of April 2024.

A threat actor with the nickname Rey identified the hack and shared his findings on X on May 7, 2025. LockBitSupp, the operator of the LockBit operation, apparently confirmed the hacking incident to Rey; however, stated that company information was not ruined, and ransomware source code and decryptors were not exposed.

LockBit became the topic of a continuing law enforcement operation (Operation Cronos) that has significantly affected all stages of the group’s activities. Law enforcement services from 10 nations took part in the operation and reported in February 2024 the arrest of 2 people, the closure of 14,000+ rogue accounts, the taking down of 34 servers, the seizure of the ransomware group’s technical infrastructure and data leak website, and the freezing of over 200 cryptocurrency accounts.

The authorities also took the decryption keys, permitting the creation of a free decryptor to enable previous victims to eventually retrieve their information. The operation seriously ruined the group’s standing and abilities, and the most recent hacking incident will result in more reputational harm. The exposed database furthermore gives the authorities and security experts priceless information about the group’s activities.

It is uncertain who is responsible for the data leak, though it seems the same cyber actor is responsible for the same attack on the Everest ransomware group. That attack resulted in the compromise of the Everest dark web data leak site, and the same message was left, “Don’t do crime CRIME is BAD xoxo from Prague.” A hacktivist or a rival ransomware group member may be behind the attack to ruin the authority of the competition.

The DragonForce ransomware cartel is also a possible culprit. It is a rather new ransomware group that is strongly recruiting affiliates. The group has just begun promoting a white-label model of its infrastructure to other ransomware-as-a-service groups in exchange for a portion of ransom payments. DragonForce is the ransomware group responsible for a series of ransomware attacks on leading UK stores recently, such as the Co-op group, Harrods, and Marks & Spencer (M&S).

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone