Hackers Breach LockBit Dark Web Panel and Leak Bitcoin Wallet Data

Highlights:

• Hackers from Prague exposed the internal data and nearly 60,000 BTC addresses in a dark web breach.
• The leaked files include admin passwords and ransomware builds used by LockBit affiliates.
• Authorities have arrested LockBit members and seized crypto wallets in an ongoing crackdown on the gang.

Hackers claiming to be from Prague attacked LockBit’s dark web infrastructure on May 7 and exposed the group’s internal data online. They left behind a message that said, “Don’t do crime CRIME IS BAD xoxo from Prague.” They also shared a MySQL database dump named “paneldb_dump.zip,” which contained thousands of records linked to the ransomware group’s activities.

🚨Hack Exposes Nearly 60,000 #Bitcoin Addresses Linked to LockBit Ransomware Group

Hackers have exposed nearly 60,000 #Bitcoin addresses, plaintext credentials, ransom negotiation chats, and detailed affiliate activity logs tied to LockBit.$BTC#crypto pic.twitter.com/VzH0NwMyV4

— CryptOpus (@ImCryptOpus) May 8, 2025

Threat actor Rey flagged the breach, and cybersecurity teams immediately began analyzing the data. According to SlowMist, the package included over 59,000 Bitcoin addresses, about 75 user credentials, and chat logs of ransom negotiations. Experts believe that each address links to a specific ransom demand, which LockBit used to separate and hide crypto transactions from victims.

🚨LockBit got hacked.

Its onion site was breached — the attacker took over the management panel and leaked a packaged file containing the database.

Exposed:
🪙BTC addresses & private keys
💬Internal chat logs
🏢Linked companies info

The attacker left a message:
"Don’t do… pic.twitter.com/ZfI4qeIzLq

— SlowMist (@SlowMist_Team) May 8, 2025

The attackers also accessed a lightweight PHP-based admin panel that LockBit affiliates used to manage ransomware operations. LockBit responded to the incident on its public channel, stating that only the lightweight platform was affected. It added that no decryptors or company data were taken.

While answering further questions, the group admitted that the breach damaged its reputation, but it also claimed the source code remained secure and recovery efforts were underway. Despite the group’s criminal history, LockBit now offers a reward for information about the hacker.

Hacker Exposes Chat Logs and Admin Credentials from LockBit Breach

Security researchers found 20 tables in the leaked database, which revealed extensive details about LockBit’s internal operations. One table listed ransomware builds used by different affiliates, while another showed over 4,400 negotiation messages between victims and operators. The dump also included plaintext passwords and usernames for more than 75 administrators and affiliates.

LockBit’s operator confirmed the hack through a private chat with an X user but emphasized that no private keys were leaked. The conversation matched reports that indicated only platform credentials were compromised. However, the sheer volume of leaked data gives investigators valuable insight into the gang’s methods and tools.

Experts pointed out that the affected server ran PHP version 8.1.2, which is vulnerable to CVE-2024-4577. Analysts suspect the attackers may have used this method to break into LockBit’s systems, although the exact entry point remains unknown.

The attackers used a similar message to the one seen in the recent Everest ransomware hack, suggesting a possible connection between the two incidents. This may be a sign that the same individual or same group carried out the two breaches.

Ongoing Law Enforcement Actions Intensify Pressure on LockBit

The new breach comes as international authorities have already taken steps against LockBit. Backed by global agencies, the U.S. Department of Justice spearheaded Operation Cronos, which broke up the gang early last year. Officials seized the websites used by the group. Moreover, they recovered more than 1,000 decryption keys, which they began sharing with affected victims.

Israeli police also arrested Rostislav Panev, a developer accused of creating LockBit’s tools. He allegedly received over $230,000 in crypto for his work, though he claimed he did not know how the tools were used.

Officials froze over 200 crypto accounts tied to LockBit’s funds. They also blocklisted ten wallet addresses. The listed addresses had deposits on Binance, KuCoin, and Coinspaid. These moves limited the gang’s ability to move or cash out their funds across crypto platforms. LockBit has attacked more than 2,500 victims across 120 countries since 2019 and reportedly extorted over $120 million during that time.