A massive leak just rocked the cybercrime world. Nearly 60,000 Bitcoin addresses tied to the infamous LockBit ransomware group were exposed online after hackers breached their dark web affiliate panel. It’s a huge blow to the group, and it’s giving law enforcement and blockchain experts a rare chance to track their financial movements.
The hackers didn’t just steal data — they had something to say. They left a mocking message: “Don’t do crime. CRIME IS BAD xoxo from Prague.” It’s a sharp jab at LockBit, which has terrorized targets worldwide, and now, the tables have turned.
What’s inside the leak?
The breach included a MySQL database dump, which was shared publicly. Inside the data were 20 tables that revealed a lot about LockBit’s operations. One table listed ransomware programs created by the group’s affiliates, while another had over 4,400 messages exchanged between victims and LockBit during ransom negotiations.
The leak also exposed a massive list of Bitcoin addresses used by the group, though luckily for LockBit, no private keys were included, meaning the wallets can’t be drained directly.
Still, it’s a massive leak. One user on X (formerly Twitter) even shared a conversation with someone they claimed was a LockBit operator. The operator confirmed the breach, but insisted no sensitive data, like private keys, had been exposed. However, given the scale of the leak, it’s hard to believe that’s all that was affected.
Why it matters
LockBit, like most ransomware groups, uses a unique Bitcoin address for each victim, allowing them to track ransom payments and making it harder to trace where the funds end up.
Now that nearly 60,000 addresses are public, investigators have a unique chance to track these payments, connect the dots, and potentially uncover more about how LockBit operates. It’s a rare opportunity to follow the financial trail and could lead to uncovering more about the global ransomware ecosystem.
Who did this?
At this point, we don’t know who exactly hacked LockBit’s panel or how they did it. However, cybersecurity analysts have pointed out that the message left behind in this hack mirrors the one used in a breach of the Everest ransomware group’s site. This has led some to believe that the same group might be behind both attacks.
LockBit has already been under the microscope. Back in February 2024, a coalition of law enforcement agencies from 10 countries launched a major operation to disrupt the group, which has been linked to billions of dollars in damage. They’ve targeted everything from hospitals to government agencies to big corporations.
Crypto’s role in ransomware
This breach once again highlights the growing link between cryptocurrency and cybercrime. For years, Bitcoin has been the payment of choice for ransomware gangs, largely because it’s pseudo-anonymous. But with blockchain’s transparency, investigators can still trace where the money is going, if they know where to look.
With 60,000 Bitcoin addresses now exposed, this leak could be a turning point in the fight against crypto-fueled ransomware. For LockBit, it’s a painful reminder that even the biggest players in the cybercriminal world aren’t safe from getting hacked.
Also Read: Curve Finance X Account Hacked to Promote Fake CRV Airdrop
