The notorious LockBit ransomware gang website has been hacked. On May 7, 2025, the group’s dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” accompanied by a link to a MySQL database dump containing highly sensitive operational data.
The breach has exposed LockBit’s extensive criminal infrastructure, including 59,975 unique Bitcoin wallet addresses, private encryption keys, over 4,400 victim negotiation messages dating from December 2024 through April 2025, and affiliate details.
Security researchers analyzing the leaked database confirmed the authenticity of the data. The LockBit operator known as “LockBitSupp” reluctantly acknowledged the breach while claiming no private keys were compromised.
.png
)
This incident follows the February 2024 “Operation Cronos,” during which international law enforcement agencies seized 34 servers, stolen data, and affiliate panels from LockBit. Despite that setback, the group managed to rebuild its operations until the latest breach.
Critical CVEs Revealed in Attack Chain
According to Qualys Threat Research Unit, an investigation of the disclosed information revealed an extensive list of 20 major CVEs that LockBit frequently exploits in their attacks.
The vulnerabilities span multiple vendors and technologies:
- Citrix: CVE-2023-4966 (NetScaler ADC/Gateway) and CVE-2019-19781
- PaperCut: CVE-2023-27351 and CVE-2023-27350 (MF/NG)
- Microsoft: CVE-2022-21999 (Print Spooler), CVE-2021-36942 (Windows LSA), CVE-2021-34523/34473/31207 (Exchange Server), CVE-2020-1472 (Netlogon), CVE-2019-0708 (Remote Desktop Services)
- VMware: CVE-2022-22965 (Spring Framework)
- Apache: CVE-2021-44228 (Log4j2)
- F5 Networks: CVE-2021-22986 (BIG-IP)
- SonicWall: CVE-2021-20028 (SMA Firmware) and CVE-2019-7481 (SMA100)
- Fortinet: CVE-2018-13379 (FortiOS SSL VPN)
- Ivanti: CVE-2019-11510 (Pulse Connect Secure)
- Fortra: CVE-2023-0669 (GoAnywhere MFT)
- Potix: CVE-2022-36537 (ZK Framework)
The leaked negotiations also revealed LockBit’s preference for Monero (XMR) cryptocurrency, offering 10-20% discounts to victims who pay in this privacy-focused digital currency rather than Bitcoin.
Ransom demands typically ranged from $4,000 for smaller incidents to $150,000 for major attacks.
The data breach further exposed LockBit’s targeting of often-overlooked systems, including Veeam backup infrastructure, VMware vCenter Server and ESXi environments, NAS devices, and file transfer tools like FileZilla and WinSCP.
This multi-vector approach has contributed to LockBit becoming the most prolific ransomware group globally, responsible for an estimated 44% of all ransomware incidents in early 2023.
“This breach provides an unprecedented look into LockBit’s operations and preferred attack vectors,” researchers said.
“Organizations should immediately prioritize patching these 20 critical vulnerabilities while also securing backup infrastructure, which appears to be a deliberate target in LockBit’s attack chain.”
The breach occurs just three months after U.S. authorities identified and sanctioned alleged LockBit leader Dmitry Khoroshev, a 31-year-old Russian national who remains at large with a $10 million bounty for information leading to his arrest.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
