Infamous Cybercrime Group Exposed in Retaliatory Breach of Dark Web Panel
In a stunning turn of events, nearly 60,000 Bitcoin (BTC) addresses linked to the notorious LockBit ransomware gang were leaked online after unknown hackers breached the group’s affiliate panel on the dark web.
The leak included a full MySQL database dump that contained crypto-related metadata potentially useful for blockchain investigators and law enforcement agencies tracking illicit ransom payments. Analysts say the breach could significantly damage the ransomware network’s financial infrastructure.
A message left by the attackers mocked LockBit, reading:
“Don’t do crime. CRIME IS BAD xoxo from Prague.”
So LockBit just got pwned … xD pic.twitter.com/Jr94BVJ2DM
— Rey (@ReyXBF) May 7, 2025
No Private Keys Leaked, But Damaging Metadata Revealed
While the leak did not include any private keys, meaning the stolen BTC remains secure from direct theft, the metadata revealed in the breach is extensive.
According to analysts at Bleeping Computer, the dumped database included:
-
A “builds” table detailing ransomware payloads created by LockBit affiliates
-
A “chats” table containing over 4,400 negotiation messages between victims and the group
-
A list of targeted companies, offering insights into LockBit’s operational reach
One X user shared screenshots of a conversation with a LockBit operator, who confirmed the breach but claimed no critical data was lost. Nonetheless, the leaked addresses and infrastructure may allow authorities to trace payment patterns, link them to previous attacks, and identify affiliate wallets.
Possible Link to Everest Ransomware Hack
The attackers behind the breach have not been publicly identified. However, Bleeping Computer noted that the message left during this breach matches one used in a recent compromise of the Everest ransomware group, suggesting a possible connection or coordinated retaliation against ransomware actors.
The incident underscores how crypto continues to fuel ransomware operations, with unique Bitcoin wallet addresses typically assigned to each victim to track ransom payments while obfuscating funds across wallets.
Now that these addresses are exposed, investigators may be able to correlate past ransom payments with known entities or flagged wallets — a significant blow to LockBit’s efforts to remain anonymous.
Final Thoughts: From Predator to Prey
The breach of LockBit’s infrastructure marks a rare reversal of fortunes in the cat-and-mouse game between cybercriminals and investigators.
While no funds appear to have been compromised directly, the exposure of wallet metadata, negotiation logs, and targeting data could give authorities and analysts new insights into the inner workings of one of the world’s most prolific ransomware groups.
As blockchain analysis tools continue to evolve, this breach may prove pivotal in disrupting ransomware networks that rely on the pseudonymity of crypto transactions to operate. In the world of cybercrime, it seems even the most feared players are not immune to being hacked.
