Thousands of Bitcoin addresses tied to ransom payments processed through LockBit’s network have been exposed after hackers breached the group’s affiliate database. According to a Bleeping Computer report , unknown hackers breached LockBit’s dark web infrastructure, defaced its affiliate panels, and publicly shared a file exposing data from the group’s internal operations. The leaked MySQL database appears to include years of ransomware activity, revealing details tied to LockBit’s affiliate management system. Among the most significant findings were nearly 60,000 Bitcoin wallet addresses, believed to be linked to ransom payments made by victims. The information could help trace how ransom funds moved through LockBit’s infrastructure. The breach was also confirmed by an anonymous LockBit operator, as suggested by a conversation shared by one X user. However, the operator confirmed that no private keys were leaked. The leaked data also included records of the ransomware tools created by LockBit affiliates, details about how specific systems were targeted, and over 4,400 private negotiation messages between the group and its victims, spanning from December 2024 to April 2025. It’s still unknown who carried out the breach or how they gained access to LockBit’s backend systems. However, investigators noted that a defacement message left behind matches one used in a recent breach of the Everest ransomware group’s site, suggesting a possible connection between the two incidents. A message left by LockBit attackers. Source: Bleeping Computer This breach comes after the major takedown of LockBit’s infrastructure in February 2024 under Operation Cronos, a coordinated effort by the FBI, NCA, Europol, and others. During the raid, authorities seized 34 servers, 1,000 decryption keys, and access to LockBit’s leak sites, where they threaten to publish a victim’s stolen data. The gang later managed to rebuild and resume activities, but this latest compromise deepens their setbacks and further tarnishes their reputation. What is the LockBit ransomware gang? LockBit is among the most prolific ransomware-as-a-service (RaaS) outfits, known for targeting large corporations, hospitals, and critical infrastructure. Since emerging in 2019, it has reportedly extorted over $500 million from more than 2,500 victims across 120 countries. Victims targeted by the group include Boeing, Royal Mail UK, ICBC, and Capital Health. The group’s model enables affiliates to carry out attacks using LockBit’s tools, splitting the ransom with developers. In December 2024, US authorities charged Rostislav Panev, a dual Russian-Israeli national, for allegedly working as a developer for the LockBit ransomware group. He reportedly earned over $230,000 in cryptocurrency for his role in creating malicious tools used in attacks. Two other Russian nationals, Artur Sungatov and Ivan Kondratyev, were also indicted in the U.S. for ransomware attacks on American entities. Meanwhile, LockBit’s suspected leader, Dmitry Khoroshev, remains at large. The U.S. has placed a $10 million bounty for information leading to his arrest. Crypto industry under attack As previously reported by Invezz, crypto hacks in the first quarter alone exceeded $1.6 billion, making it the worst quarter on record for the industry. The majority of these losses came from two attacks on centralised exchanges, namely Bybit, which lost $1.46 billion, and Phemex, which was hacked for $69.1 million. While DeFi platforms accounted for just 6% of Q1 losses, March still saw 20 separate incidents, including exploits on Abracadabra.money, Zoth, and ZkLend, totalling over $33 million. The post Hackers breach LockBit gang, leak nearly 60,000 Bitcoin addresses appeared first on Invezz
