“Don’t do crime—CRIME IS BAD xoxo from Prague,” wrote the hackers as they turned the tables on LockBit, one of the world’s most notorious ransomware gangs.
Almost 60,000 Bitcoin addresses tied to LockBit’s ransomware infrastructure were leaked after attackers compromised the group’s dark web affiliate panel.
The breach included a publicly shared MySQL database dump containing crypto-related information that could help blockchain analysts trace the group’s illicit financial flows.
What Was in the Leak
Ransomware is a type of malware that locks a target’s files or systems, with attackers demanding a ransom—usually in Bitcoin—in exchange for a decryption key.
LockBit has gained infamy for its scale. In February 2024, ten countries launched a joint operation to disrupt the group, citing billions in damages caused to key infrastructure.
While nearly 60,000 Bitcoin wallets were leaked, no private keys were included. A LockBit operator confirmed the breach in a conversation shared on X, insisting no private data was lost.
Still, analysts at Bleeping Computer said the database contained 20 tables. A “builds” table listed individual ransomware builds created by affiliates and identified several target companies.
A “chats” table revealed over 4,400 negotiation messages between victims and the gang.
Potential Link to Everest Ransomware
The breach may be connected to a recent incident involving the Everest ransomware group. An analyst from Bleeping Computer noted that the message used in the LockBit breach matched one used in Everest’s site compromise, suggesting a possible link.
The exposure highlights the critical role crypto plays in the ransomware ecosystem. Victims are typically assigned unique Bitcoin addresses to pay ransoms, which helps attackers monitor transactions while concealing links to core wallets.
With this data now exposed, law enforcement and blockchain investigators may be able to track patterns and link past ransom payments to known wallets.