Thought Leadership
The ransomware group LockBit, known for numerous extortion attacks, has itself become the victim of a hack. Unknown attackers have overwritten the affiliate platforms in the dark web with a clear message: “Don’t do crime. CRIME IS BAD xoxo from Prague.”
Security researcher Rey was the first to report the compromise, where a link to download a file named “paneldb_dump.zip” was left behind. This apparently contains a database of the affiliate management portal. Analysis suggests that the dump was created on April 29, while the publicly visible defacement action only took place on May 7. So far, no group has claimed responsibility for the attack.
LockBit Representative Confirms the Incident
A spokesperson for the group known as LockBitSupp has since confirmed the breach in a conversation with security researcher Rey. However, the spokesperson emphasizes that neither private encryption keys nor stolen company data were compromised. According to the information, only Bitcoin addresses and communication with affected companies were stolen.
“The source code is not stolen. I’m already working on getting back to work,” LockBitSupp said. Indeed, the group’s dark web presence is now back online.
Result of Intensive Law Enforcement Measures
The incident follows extensive international actions against LockBit. In early 2024, law enforcement agencies from eleven countries conducted “Operation Cronos,” in which 34 servers were seized, leak websites were shut down, and more than 1,000 decryption keys were secured, allowing victims to restore their data without paying ransom.
Additionally, around 200 cryptocurrency wallets associated with LockBit were seized as part of the operation. Although the group resumed its activities after this blow, their operational capacity appears to be significantly limited.
