LockBit hack: 60 000 ransomware bitcoin addresses and negotiation data revealed
A notorious cybercriminal group lost control of its infrastructure to other hackers
08.05.2025 - 10:45
422
3 min
0
What’s new? Nearly 60 000 BTC addresses associated with LockBit’s ransomware infrastructure have been exposed after hackers breached the group’s dark web affiliate panel. Information about the incident spread in the public space after administrative sections on darknet sites associated with LockBit were replaced with a message warning against illegal activities: “Don’t do crime CRIME IS BAD xoxo from Prague.” Along with this, a reference to an archive called “paneldb_dump.zip” was published, which contained a SQL file with data from the MySQL database of the group’s partner network.
The Security Alliance uncovers a scheme to hack crypto wallets via Zoom calls
One of the victims was the head of the NFT platform Emblem Vault
What has been discovered? According to a hacker hiding under the nickname Rey, the leak provides a unique opportunity to study the inner workings of LockBit. Experts from the publication BleepingComputer, having reviewed the contents of the database, reported the discovery of twenty tables. Particular attention was drawn to the table “btc_addresses”, where about 60 000 unique bitcoin addresses were found, which may indicate a significant scope of the group’s activities. In addition, the stolen database also included a “chats” table. This table contained more than 4400 messages of conversations between victims and the ransomware organization.
Guide for crypto companies: how to prevent infiltration through employment
Employees of the Kraken crypto exchange managed to identify a Lazarus Group hacker who claimed to be in a technical position at the company
What else is known? It’s unclear who was behind the hack and how they gained access to LockBit’s operations, but analysts at Bleeping Computer said that the message used in the Everest ransomware website hack matched the message used by LockBit. The analysts suggested there may be a connection between the two incidents.
Address disclosure allows law enforcement and blockchain investigators to track patterns and potentially link past ransom payments to known wallets.
Earlier, the US Department of Justice identified the creator, developer, and administrator of the LockBit group responsible for launching the ransomware.
Useful material?
Telegram 
Twitter Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Incidents
According to Blockaid, the attack may have been carried out by the same hacker behind the 1inch Fusion V1 exploit.
May 7, 2026
Incidents
The attacker gained administrative access and altered contracts to drain user funds
Apr 30, 2026
Cryptocurrency rates
-
Bitcoin
$65 634
BTC
-2.45%
-
Ethereum
$2 551.16
ETH
+3.56%
-
BNB Smart Chain
$579.4
BSC
+1.23%
-
Ripple
$1.22
XRP
-0.63%
-
Dogecoin
$0.092949
DOGE
-1.02%
-
TRON
$0.160134
TRX
-1.59%
-
Zcash
$628.6
ZEC
+3.67%
-
Cardano
$0.205629
ADA
-4.64%
-
Stellar XLM
$0.214138
XLM
-2.56%
-
Polkadot
$3.32
DOT
+5.27%