LockBit Ransomware Crew Gets Owned—60K Bitcoin Addresses Exposed in Stunning Hack

Cybercriminals just got a taste of their own medicine. The notorious LockBit ransomware operation—responsible for extorting millions from businesses worldwide—has been hacked, leaking 60,000 Bitcoin addresses tied to their illicit operations.

Who hacked the hackers? Details remain scarce, but the breach exposes the gang’s entire financial infrastructure. Security analysts are now tracing transactions—good luck explaining those ’business expenses’ to the taxman.

While crypto purists will cheer this as blockchain transparency in action, Wall Street bankers are probably sulking—after all, these ransomware crews have better profit margins than most hedge funds.

Data exposure in panel dump

According to Rey, citing an analysis from cybersecurity publication BleepingComputer, there were about 20 tables in the leaked database, including a ‘btc_addresses’ table that listed 59,975 unique Bitcoin wallet addresses connected to LockBit’s ransomware payments.

Other notable data in the leak includes a ‘builds’ table, which details the ransomware payloads created by LockBit affiliates. The table includes public encryption keys and, in some cases, names of targeted companies. 

The ‘builds_configurations’ table showed which files or servers affiliates configured their attacks to avoid or encrypt, and several other operational tactics used in previous ransomware campaigns.

As seen in one table dubbed ‘chats,’ there were over 4,400 negotiation messages between LockBit affiliates and victims, spanning from December 19, 2024, to April 29, 2025. 

pic.twitter.com/gjbtzQg9VM

The dump also exposes a ‘users’ table listing 75 LockBit administrators and affiliates with access to the group’s backend panel. Security sleuths were shocked to discover that user passwords were stored in plaintext. 

Cybersecurity researcher Michael Gillespie mentioned some of the exposed passwords, including “Weekendlover69,” “MovingBricks69420,” and “Lockbitproud231.” 

LockBitSupp, a known operator of the LockBit group, confirmed in a Tox chat with Rey that the breach was real. Still, the operator insisted that no private keys or critical data had been lost. 

Response From LockBitSupp (This is a translated image): pic.twitter.com/l54g1A5hXz

Alon Gal, Chief Technology Officer at Hudson Rock, said the data also includes custom ransomware builds and some decryption keys. According to Gal, if verified, the keys could help some victims recover their data without paying ransoms.

Exploiting server vulnerabilities

An analysis of the SQL dump revealed the affected server was running PHP 8.1.2, a version vulnerable to a flaw identified as “CVE-2024-4577.” The vulnerability allows remote code execution, which explains how attackers were able to infiltrate and exfiltrate LockBit’s backend systems. 

Security professionals believe the style of the defacement message may link the incident to a recent breach of the Everest ransomware site, which used the same “CRIME IS BAD” phrasing. The similarity suggests that the same actor or group may be behind both incidents, though no clear attribution has been confirmed.

The hackers behind the breach have not come forward, but Kevin Beaumont, a UK-based security outfit, said the group DragonForce could be responsible. 

“Somebody has hacked LockBit. I’m going to guess DragonForce,” he wrote on Mastodon.

According to the BBC, DragonForce was allegedly involved in several cyberattacks on UK retailers, including Marks & Spencer, Co-op, and Harrods.

In 2024, Operation Cronos, a UK-led multinational effort involving law enforcement agencies from ten countries, including the Federal Bureau of Investigation (FBI) temporarily stopped LockBit’s activities, although the group eventually resurfaced.

The operation reportedly took down 34 servers, confiscated crypto wallets, and uncovered over 1,000 decryption keys. 

Law enforcement believes LockBit’s operators are based in Russia, a jurisdiction that WOULD be hard to bring them to justice in. Ransomware gangs centre their operations within Russia’s borders because direct arrests are nearly impossible.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now