The file, first flagged by a threat actor named Rey, contains a SQL dump of LockBit’s affiliate management portal. A review of the database reveals 20 tables with sensitive details on the group’s operations.

One table, labelled ‘btc_addresses,’ lists nearly 60,000 unique Bitcoin addresses. Another, ‘builds,’ includes information about payloads created for specific targets. The builds include public encryption keys, along with company names in some cases.

There’s also a ‘builds_configurations’ table showing technical preferences for attacks. These include skipping certain ESXi servers or concentrating on specific file types.

The ‘chats’ table offers insight into LockBit’s extortion tactics. It includes almost 4,400 bargaining messages between affiliates and victims, dated between December 2024 and late April 2025.

One of the more illuminating elements is the ‘users’ table, lists 75 identities associated with affiliates and admins. Security researcher Michael Gillespie pointed out that the database stored many of their passwords in plaintext. Examples included “Weekendlover69,” “MovingBricks69420,” and “Lockbitproud231.”

Rey later shared a conversation on Tox with a LockBit representative who confirmed the breach. The operator, known as “LockBitSupp,” claimed no private keys were and that data loss was minimal.

The dump appears to have been created on April 29, based on timestamps in the chat records.

So far, no group has claimed responsibility. However, the message used in the defacement is identical to one left in a recent breach of the Everest ransomware site, suggesting the same actor may be behind both incidents.

The breach follows earlier hits to LockBit’s infrastructure. In early 2024, law enforcement agencies carried out a global operation named Operation Cronos. That effort took down 34 servers, the group’s site and mirrors, cryptocurrency wallets, and 1,000 decryption keys. It also targeted the same affiliate panel recently compromised.

LockBit rebuilt its infrastructure quickly after Operation Cronos and resumed operations. But the new breach could deal lasting damage to its reputation, especially among its affiliates.

Other ransomware groups have faced similar s in recent years. These include Conti, Black Basta, and Everest. In most cases, such breaches disrupted operations, at least temporarily.

LockBit has changed its malware over time. It launched in 2019 with LockBit 1.0, which used RSA and AES encryption, and in 2021, it released version 2.0 with features to automate internal spread.

The group released LockBit 3.0 – also called LockBit Black – in 2022 with modular features and anti-analysis tools. It also came with a bug bounty programme to attract external testers.

In 2023, researchers claimed a version called LockBit Green borrowed code from the disbanded Conti gang.

LockBit operates using a ransomware-as-a-service (RaaS) model. The core team creates and maintains the malware, and so-called affiliates are responsible for breaking into systems, launching attacks, and negotiating ransoms. In most cases, affiliates keep 70% of the proceeds.

The group uses “double extortion” tactics, encrypting files and threatening to stolen data unless a ransom is paid.

Technically, LockBit targets both Windows and Linux systems. It uses fast encryption methods and tools for lateral movement, like PSExec and RDP brute force. It frequently disables backups and services before encrypting data.

Its attack chain usually starts with phishing, discovered vulnerabilities, or stolen credentials. After initial access, it moves laterally, escalates privileges, exfiltrates data, encrypts systems, and drops ransom notes. If there’s no payment, stolen data is posted to sites.

LockBit has claimed numerous major attacks. In 2022, it targeted Italy’s Revenue Agency, putting taxpayer data at risk, and hit Canada’s SickKids Hospital, later issuing a decryption tool after public backlash in the latter case.

By mid-2022, LockBit accounted for over 40% of known ransomware attacks worldwide. The group has affected more than 1,000 companies and reportedly brought in over $100 million in ransom payments that year. More than half of its demands were paid, according to industry reports.

On February 19, 2024, the group’s sites were seized in another law enforcement operation. Agencies involved included the UK’s NCA, FBI, Europol, and INTERPOL, with several members of the LockBit gang arrested or placed on wanted lists, but key developers were said to have avoided capture.

Some LockBit tools remain active on the dark web and are still being used by affiliates. The latest breach adds more pressure to a group already under watch.