Unprecedented Data Leak Reveals Financial Infrastructure of One of the Largest Ransomware Groups
Hackers have successfully attacked the infrastructure of the notorious ransomware group LockBit, resulting in the public release of an extensive database containing 59,975 Bitcoin addresses, 4,442 negotiation sessions with victims, and attack configurations. This was reported by Bleeping Computer. A message from the hackers appeared on the group’s shadow forums: “Don’t commit crimes. CRIME IS BAD xoxo from Prague.” The administrator and developer of LockBit, Dmitry Khoroshev, known by the nickname LockBitSupp, confirmed the breach but claims that the private keys of the wallets were not compromised. This incident could have serious consequences for the group’s operational activities and is of significant interest to law enforcement agencies worldwide.
Scale of the Leak: What Hackers and the Global Community Obtained
According to a researcher known by the nickname Rey, the scale of the leak is impressive and includes several critical components of LockBit’s infrastructure. First and foremost, these are tables with Bitcoin wallets that likely belong to affiliated individuals and are used in the group’s infrastructure. Detailed settings for conducting attacks were also revealed, including lists of servers and files to be encrypted.
Chat logs with ransom demands are of particular value to researchers and law enforcement agencies, as they may contain details of negotiations with victims and information about ransom amounts. Additionally, data of 75 administrators and partners of LockBit was published, including their passwords stored in plain text.
“This leak provides an unprecedented look into the inner workings of one of the most dangerous ransomware groups of our time,” comments Alexander Petrov, an expert in cybersecurity and malware analysis. “Especially valuable are the Bitcoin addresses, which can help track the group’s financial flows and potentially identify participants.”
Analysis conducted by Bleeping Computer specialists showed that the leak occurred on April 29. The group’s servers were using a vulnerable version of PHP 8.1.2, which was likely a key factor contributing to the successful attack. Specialists note that the signature of the attackers matches the hack of the Everest darknet site, which also occurred in April, possibly indicating a connection between these incidents.
“Using an outdated and vulnerable version of PHP for critical infrastructure is a serious mistake that highlights that even experienced cybercriminals can neglect basic security principles,” notes Maria Sokolova, a computer forensics specialist. “This negligence provided an opportunity for white hat hackers or intelligence services to penetrate their systems.”
LockBit Under Attack: History and Context of the Cyber Attack
LockBit is considered one of the most dangerous and active ransomware groups in recent years. The group uses a Ransomware-as-a-Service (RaaS) model, providing its malware to partners who conduct attacks and share the obtained ransoms with the program’s creators. This approach has allowed LockBit to significantly expand the scale of its operations and become one of the dominant forces in the ransomware market.
The current incident is not the first serious attack on LockBit’s infrastructure. In February 2024, the UK’s National Crime Agency (NCA), together with international partners, partially seized the ransomware’s infrastructure and arrested 200 cryptocurrency wallets associated with the group. This operation, codenamed “Cronos,” was a significant blow to LockBit’s operational capabilities, but the group quickly recovered.
“LockBit demonstrates extraordinary resilience to law enforcement operations,” explains Dmitry Volkov, director of cybercrime research. “After the February operation, many expected the group to disappear, as happened with REvil and other ransomware after similar operations. However, LockBit quickly restored its infrastructure and continued attacks.”
The recent hack, however, could be more destructive to the group’s operational security. While in February, law enforcement agencies primarily attacked the technical infrastructure, the current leak reveals personal data of participants and the group’s financial system.
Particularly interesting is the fact that the attackers left the message “xoxo from Prague,” which could indicate a Czech trace in the attack. However, experts warn that such indications of geographical origin are often used for disinformation and distraction.
Implications for the Cryptocurrency Market and Law Enforcement
The publication of nearly 60,000 Bitcoin addresses linked to LockBit opens new possibilities for tracking the ransomware group’s financial flows. Although administrator LockBitSupp claims that private keys were not compromised, the identification of addresses alone allows blockchain analysts to trace transactions and potentially link them to real individuals.
“Modern blockchain analysis tools allow building complex transaction graphs and identifying patterns characteristic of specific groups,” explains Elena Ivanova, a cryptocurrency analytics specialist. “The publication of such an extensive list of addresses will significantly expand our knowledge of LockBit’s financial ecosystem and possibly other related groups.”
Moreover, logs of negotiations with victims can provide law enforcement with information about who paid ransoms and in what amounts. This could potentially lead to new investigations and arrests not only of LockBit participants but also their accomplices.
On the other hand, the leak creates certain risks for ransomware victims as well. Negotiation data may contain confidential information about companies that chose to quietly pay a ransom without publicly disclosing the attack. Now this information could become public knowledge.
“Companies that paid ransoms to LockBit may now face additional reputational and regulatory risks,” warns Sergei Novikov, a cybersecurity lawyer. “In some jurisdictions, paying a ransom to cybercriminals can have legal consequences, especially if the group is under sanctions.”
For law enforcement agencies, the leak represents a valuable resource in the fight against ransomware. The obtained data can help in tracking LockBit participants and their partners, as well as in blocking the group’s financial flows. Furthermore, analysis of attack configurations can help in developing more effective defensive measures against future attacks not only by LockBit but also other ransomware using similar techniques.
“This leak is a real gold mine for law enforcement and security researchers,” emphasizes Volkov. “But most importantly, it’s a signal to other ransomware groups that even they are not protected from hacking. In a sense, it’s a demonstration of the principle ‘those who sow the wind shall reap the whirlwind’ in the world of cybersecurity.”
In the coming weeks, blockchain analysts and security researchers can be expected to carefully analyze the obtained data, which may lead to new discoveries about the structure and operations not only of LockBit but also the broader ransomware ecosystem. This incident could be a turning point in the ongoing battle against one of the most destructive cyber threats of our time.