Cryptonews Bitcoin News

Hack Exposes Nearly 60,000 Bitcoin Addresses Linked to LockBit Ransomware Group

A major cybersecurity breach strikes LockBit, leaking internal data, Bitcoin addresses, and affiliate credentials — exposing critical data of one of the world’s most feared ransomware networks.

Journalist

Hassan Shittu

Journalist

Hassan Shittu

About Author

Hassan, a Cryptonews.com journalist with 6+ years of experience in Web3 journalism, brings deep knowledge across Crypto, Web3 Gaming, NFTs, and Play-to-Earn sectors. His work has appeared in...

Author Profile

Last updated:

May 7, 2025

Why Trust Cryptonews

Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

A major breach has rocked the infamous LockBit ransomware gang, exposing nearly 60,000 Bitcoin addresses after hackers defaced its dark web affiliate panels and leaked a trove of internal data online.

The cyberattack, discovered on May 7, 2025, targeted LockBit’s dark web infrastructure, defacing affiliate admin panels and leaking a large internal records database.

What Happened?

So LockBit just got pwned … xD pic.twitter.com/Jr94BVJ2DM
— Rey (@ReyXBF) May 7, 2025

The attackers left behind a message—“Don’t do crime CRIME IS BAD xoxo from Prague”—along with a downloadable MySQL database dump titled paneldb_dump.zip.

Initially flagged by threat actor Rey, the breach was swiftly analysed by cybersecurity experts, who uncovered a wealth of information about LockBit’s operations.

According to Bleeping Computer report, the leaked data includes a massive collection of ransomware infrastructure details. Most notably, it exposes 59,975 unique Bitcoin addresses linked to LockBit.

These addresses are believed to be associated with ransom payments, each typically assigned to individual victims as part of LockBit’s efforts to compartmentalise and obscure the flow of illicit funds.

However, LockBit’s operator, “LockBitSupp” confirmed the breach but insisted that no private keys or additional sensitive data were lost.

Additional data reveals records of detailed logs of ransomware builds created by LockBit affiliates. These records not only document the technical configurations used in various attacks but also include extensive chat logs, over 4,400 negotiation messages between LockBit operators and their victims.

Also among the compromised data were user credentials, including 75 admins and affiliates with access to the affiliate panel, with passwords stored in plaintext.

The exact method used to breach LockBit’s infrastructure remains uncertain. However, Bleeping Computer suggests similarities to a recent hack of the Everest ransomware group, raising suspicions of a common attacker or tactic.

The report noted that the server was running PHP 8.1.2, which is known to be vulnerable to CVE-2024-4577, a critical exploit that could have enabled remote code execution.

LockBit’s Crumbling Empire: Global Crackdown Followed By Leaked Data

The fallout from the breach is likely to be far-reaching. For law enforcement agencies and blockchain forensic teams, the leaked Bitcoin addresses and data offer a new opportunity to trace ransomware payments and potentially identify individuals connected to LockBit.

The breach also delivers a severe reputational blow to LockBit, which has already been weakened by Operation Cronos. The coordinated crackdown led by the U.S. Department of Justice, Europol, and law enforcement agencies worldwide in early 2024 temporarily dismantled its infrastructure.

The operation has already resulted in the freezing of over 200 cryptocurrency accounts linked to LockBit’s ransomware activities.

Authorities have arrested two LockBit actors in Poland and Ukraine, while two affiliates were apprehended and charged in the U.S. The U.S. Treasury’s OFAC also blacklisted ten Bitcoin and Ether addresses tied to the group, with some linked to deposits on exchanges like KuCoin, Binance, and Coinspaid. These sanctions now prohibit U.S. entities from transacting with the individuals or wallets involved.

Key infrastructure used by LockBit, including its websites and ransom negotiation panels, was seized in early 2024. More than 1,000 decryption keys were recovered and are being distributed to victims to help them regain access to encrypted data without paying ransoms.

A major developer behind LockBit’s tools, Rostislav Panev, was arrested in Israel and awaits extradition to the U.S. Panev allegedly built malware and other software for the group and received over $230,000 in crypto. His defence claims he was unaware of how the tools were used, but authorities say he played a central role in enabling the group’s operations.

LockBit, active since 2019, has attacked more than 2,500 victims in 120 countries and reportedly extorted over $120 million globally.