In May 2025, the cybersecurity community was granted an unprecedented glimpse into the operations of one of the world’s most notorious ransomware groups when LockBit themselves fell victim to a data breach.
The leaked information, made available via a Tor network hidden service on what appeared to be a LockBit ‘onion URL’, exposed a treasure trove of sensitive data including ransomware build records, affiliate communications, victim negotiations, and detailed configuration parameters used in attacks.
LockBit has established itself as a dominant force in the cybercrime ecosystem through its Ransomware-as-a-Service (RaaS) model, which allows individual cybercriminals or small collectives to leverage sophisticated malware tools in exchange for a percentage of successful ransom payments.
.png
)
This business model has proven extraordinarily effective, enabling the group to scale operations across a vast network of affiliates while maintaining operational security.
.webp)
Ontinue researchers identified that although the exposed files were created throughout 2024, they only surfaced in May 2025, providing a retrospective view into approximately six months of LockBit operations.
Analysis of the data revealed nearly 60,000 Bitcoin wallet addresses, over 4,400 negotiation transcripts with victims, and extensive customization records showing how different affiliates configured their payloads for specific targets.
The leak provides concrete evidence linking usernames to specific attacks, corresponding with previous law enforcement operations including Operation Cronos, where the UK’s National Crime Agency had previously infiltrated the group’s infrastructure and published a list of affiliate identifiers.
.webp)
Inside the Payload Creation Process
The most technically revealing aspect of the leak is the detailed “builds” table that logs every ransomware payload generated through the LockBit affiliate panel.
.webp)
Each build is stored in a JSON format that exposes the group’s sophisticated configuration options. Their affiliates allows to customize their attacks, with modular components that can be enabled or disabled based on targeting requirements.
{
"userid": 3,
"comment": "Hello",
"company_website": "example.com",
"crypted_website": "[encrypted string]",
"revenue": "10kk",
"delete_decryptor": true,
"type": 25,
"created_at": "2024-12-18 20:05:23"
}The configuration options reveal sophisticated capabilities, including fields that control encryption behavior, stealth mechanisms, and post-infection cleanup.
Parameters such as “quiet_mode” suppress execution outputs to avoid detection, while “delete_decryptor” determines whether the malware removes decryption capabilities after infection.
Particularly notable is the “revenue” field, which indicates the affiliate’s intended ransom demand rather than actual payment received.
Analysis of these configurations shows affiliates targeting specific sectors with customized approaches.
The most prolific LockBit affiliate (ID 42, username “Ashlin”) generated the highest number of payloads, while another affiliate (ID 14) targeted fewer victims but with significantly higher average ransom demands of $42.2 million per target.
The leak also exposes LockBit’s recruitment tactics, with affiliates concluding ransom notes with invitations to “start your pentester billionaire journey in 5 minutes with us,” revealing how these criminal organizations continue to attract new technical talent despite increasing law enforcement pressure.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
