The cybercriminals behind the ransom-extortion group Lockbit seem to have fallen victim to a breach of their own.

The hack came to light on May 7, when all of Lockbit’s dark web affiliate panels, used to coordinate cyberattacks, were defaced with the message: “Don’t do crime. CRIME IS BAD xoxo from Prague.”

The defacement also included a link to download a file titled paneldb_dump.zip, containing a database from Lockbit’s affiliate management portal.

The file contained:

  • Internal chats between LockBit and its victims.
  • Detailed victim profiles, including domains and estimated revenue.
  • Custom ransomware builds.
  • Bitcoin addresses tied to LockBit’s activities.
  • References to encryption configurations and potential decryption keys.
  • A list of 75 admins and affiliates with access to the affiliate panel.

The database dump seems to have been created around April 29, indicating that Lockbit may have been compromised before the defacement on May 7th.

In an alleged Tox conversation, LockBit’s main administrator, known as LockBitSupp, reportedly confirmed the hack.

LockBitSupp pointed out that while the defacement was genuine, no private encryption keys or stolen company data were exposed, and no critical operational data was permanently lost.

“The source code is not stolen. I’m already working on getting back to work,” LockBitSupp wrote in the chat.

As of now, LockBit’s site on the dark web has been restored and is once again operational.

“This user data will prove to be valuable for cybersecurity researchers, as it allows us to learn more about the affiliates of LockBit and how they operate. For example, within those 76 users, 22 users have TOX IDs associated with them, which is a messaging service popular in the hacking community,” said Luke Donovan, head of threat intelligence at Searchlight Cyber, of the leak.

“These TOX IDs have allowed us to associate three of the leaked users with aliases on hacking forums, who use the same TOX IDs. By analysing their conversations on hacking forums we’ll be able to learn more about the group, for example, the types of access they buy to hack organizations.”