Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Security researchers are analysing data leaked from the LockBit ransomware operation last week, and there’s a lot to unpack.
Prolific ransomware operator LockBit got a taste of its own medicine last week, when its darknet leak site was defaced and its infrastructure hacked and leaked – possibly by another ransomware gang.
The brief defacement replaced LockBit’s usual list of victims with a simple message: “Don’t do Crime CRIME IS BAD xoxo from Prague.”
Also included was a link to a leaked SQL file related to the gang’s control panel for its ransomware tools. The defacement has since been rectified, with one of LockBit’s administrators even going so far as to offer money to anyone who could share the identity of the hacker.
The damage, however, was done, and since then, security analysts from threat intelligence platform Flashpoint have been poring over the contents of the leak. The database features several tables that offer a unique window into LockBit’s operations, including its size.
A table, labelled Users, lists 75 individuals linked to the gang, most likely a combination of LockBit administrators and affiliates. Usernames are listed, alongside plaintext passwords and TOX messenger IDs.
Another table, Builds, appears to list metadata related to ransomware builds linked to discrete victims. There are more than 630 domains listed, and while many do appear to be victims, quite a few are used for testing various builds.
One table tracks possible attempts at exploiting LockBit’s user panel, while another features invite links or tokens, most likely generated to share with victims so they can enter into ransom negotiations. Each address is linked to a specific Monero or bitcoin address. A table dedicated to bitcoin addresses lists approximately 60,000 wallets.
The leaked database also includes a table called Chats, which appears to be messages between LockBit and its victims. There are 4,423 unique messages stored within the table.
Flashpoint has compared the LockBit data leak with previous leaks from ransomware gangs, including Conti in 2022 and BlackBasta in 2025, and has so far found no overlaps in the data.
However, analysis of this leak remains ongoing, and more data will likely come to light as that work continues.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
