Hack the ransomware: how the Lockbit group was hacked and 60 000 addresses were leaked

Hackers have become such a powerful force in the crypto community that they are now a target for hackers of all kinds. The victim’s fate has not passed over the well-known in narrow circles ransomware group Lockbit. GetBlock AML Research publishes details of one of the biggest leaks about this group in its history.

Details of the incident

On May 7, Lockbit’s darknet (onion network) website stopped working and started displaying a strange message, “Don’t do crime. Crime is bad.” The author of the message signed himself as “xoxo from Prague.” He also posted the Lockbit website’s database for free access.

A message from a hacker on the Lockbit website

In addition to 60 000 bitcoin addresses, Lockbit partner accounts, correspondence with victims, and other sensitive information were leaked.

What you need to know about Lockbit

LockBit is a vast network of developers who create software for data encryption and subsequent ransomware. The group operates on a Ransomware-as-a-Service (RaaS) model. It provides access to its developments to partners who perform the implementation work and infect user devices. Funds received as a result of ransomware are divided between developers and partners in the ratio of 70%/30%.

LockBit’s most extensive attacks:

• In 2022, the Italian Internal Revenue Agency database was compromised, with data on millions of the country’s residents and their taxes encrypted;
• SickKids Children’s Hospital in Canada was also encrypted. The attackers later apologized and provided free software to decrypt the data;
• Lockbit has impacted more than 1000 companies worldwide over the past few years.

Despite the high level of secrecy, in 2024 several Lockbit members were apprehended as a result of Operation Kronos (a joint effort between the UK’s National Crime Agency, FBI, Europol, and Interpol). The remaining Lockbit members continued their illegal activities.

New data

A database leaked by a mysterious vigilante from Prague contains data on 75 Lockbit partners who worked with developers to conduct illegal activities and extort funds from victims of the encryption software.

Lockbit partner accounts

Of the 60 000 Lockbit bitcoin addresses that ended up in the public domain, most of them have not yet been used by attackers. At the current stage, our team is analyzing Lockbit’s on-chain network. Initial research shows that the Lockbit network contains significantly more addresses.

Some of the leaked Lockbit bitcoin addresses

Full Lockbit address database

Lockbit’s response

The ransomware group did not appreciate the performance of its colleague from Prague. Lockbit published an appeal to partners (in Russian), in which they said they were ready to pay for information about their hacker. Lockbit also said that only the website and its database were compromised, while decryptors (used to decrypt data) and data of the attacked companies were not affected. Lockbit promised to restore operations as soon as possible.

Lockbit’s statement on the hack