Reading Time: 12 minutes

On May 7, 2025, a number of domains associated with the LockBit ransomware group were subjected to a web defacement attack by an unknown individual. Visitors to the compromised domains encountered the following message, replacing the original website content:

Don’t do crime. CRIME IS BAD. xoxo from Prague

On the same page, a file named “paneldb_dump.zip” was available for download. This archive contained the MySQL database from the panel used by LockBit affiliates to manage operations such as attack histories and negotiations with victims. The Yarix Cyber Threat Intelligence Team (YCTI) retrieved the file and presents below the analysis of relevant information identified within the archive.

Screenshot from the Compromised Domain – Source: YCTI Team

A Pattern of Defacement?

For those closely following ransomware group activities, the message “Don’t do crime. CRIME IS BAD. xoxo from Prague” recalls a similar event in April[1] involving the .onion domain of the Everest ransomware group’s Data Leak Site.

Everest DLS Defacement – Source: Bleeping Computer

The message is identical to that found on the compromised LockBit domains. However, in Everest’s case, no files were shared. Subsequently, the compromised .onion URL of Everest’s DLS was restored and is currently online and accessible. LockBit represents the second instance in a short period where a ransomware group’s .onion site has been exploited. Although the identity of the mysterious “pentester” remains unknown, these actions may indicate a trend of exploiting Data Leak Site domains or ransomware panel login pages to identify potential vulnerabilities. The motivations in these two specific cases remain a mystery, and it remains unclear whether this is the work of a zealous “lone wolf” acting for the glory of pentesting or a direct competitor of the ransomware groups.

Inside the Dump: Structure, Tables and Source

The file retrieved from LockBit’s compromised domains is an SQL dump weighing approximately 26 megabytes, comprising 114,055 rows. The identified tables within include:

“api_history”, “btc_addresses”, “builds”, “builds_configurations”, “chats”, “clients”, “events”, “events seen”, “”faq”, “files”, “invites”, “jobs”, “migrations”, “news”, “pkeys”, “socket_messages”, “system_invalid_requests”, “testfiles”, “users”, “visits”.

By examining the dates related to the conversation messages in the “chats” table and the SQL dump’s creation date, the information was placed within a timeframe between December 18, 2024, and April 29, 2025. This allowed YCTI analysts to link the December date with LockBit’s announcement regarding the release of version 4.0 of its malware. The event was announced on LockBit’s DLS with the following post published on December 19, 2024:

Source: LockBit Data Leak Site

Visiting the domains mentioned in the post currently displays a message suggesting maintenance is underway, thereby concealing the original domain content.

Source: LockBit Data Leak Site

Nonetheless, the content of one of the domains was available through ANY.RUN’s archive [2]:

Source: ANY.RUN

The domains appear to relate to LockBit’s login panels, consistent with the Ransomware-as-a-Service model offered by the criminal group. This is further supported by posts from users who announced the defacement incident on X[3]:

Source: Rey account on x.com

According to the same source, LockBit confirmed that the compromise affected the panel dedicated to affiliates for registration and account activation procedures. The exfiltrated information by the unknown user included user conversations and Bitcoin addresses, excluding the theft of source code or the Locker builder.

Original LockBit Conversation Posted by User Rey – Source: Rey account on x.com

LockBit Conversation Translated into English by User Rey – Source: Rey account on x.com

User Accounts – Affiliate Roles and Attack Volume

The YCTI Team’s analysis of specific tables led to the identification of aliases and rankings associated with affiliates registered on LockBit’s panel. Some accounts are linked to contact IDs via Tox and Session, useful for potential correlations with other “handles.” It remains unclear whether the identified users represent the entirety of LockBit’s affiliates or only those registered on the exploited panel. In other words, it is uncertain if separate panels exist for affiliates to access LockBit’s tools.

Within the “users” table, 75 users were identified. Among these, the users named “admin” and “matrix777,” despite lacking any rank, appear to be administrative accounts for LockBit, as their creation timestamps are identical. Sixty-two users hold the “newbie” rank; five are “verified”; four are “pentester”; one is “ru target”; and one is categorized as “scammer.”

List of Users – LockBit Panel Dump

Comparing the list of aliases released during Operation Cronos (194 accounts), no matches were found between the usernames shared by law enforcement and those in the analyzed dump, except for the “admin” account. Below are the alias lists from Operation Cronos[4] and those from the May 2025 dump collected by the the YCTI Team:

Operation Cronos – LockBit User List – Source: Trend Micro

Users Identified in the May 2025 Dump – “Admin” Accounts – May 2025 Dump – Source: YCTI Analysis

Comparing the “admin” account creation timestamps from the aliases shared post-Operation Cronos with those in the May 2025 dump reveals an exact match in date and time, further confirming the hypothesis that these are aliases related to LockBit’s administrative accounts:

“Admin” User – Operation Cronos – 2024

“Admin” Accounts – May 2025 Dump – Source: YCTI Analysis

The YCTI Team also noted a similarity between the alias “matrix777” and a username in the BlackBasta chat leak[5] named “@username777.” Approximately 500 messages related to “@username777” were identified within the BlackBasta chat. Currently, this evidence may be coincidental, and further investigations are underway by the YCTI Team to determine any possible connections between the two identities:

Possible Alias Match – BlackBasta Chat

Analyzing the configuration logs related to attacks conducted by users within the dump revealed that only 47 accounts had executed actual attacks against companies. It is possible that many users utilized panel access to perform “test” attacks, likely directing LockBit malware against proprietary infrastructures to test the tool’s capabilities and become familiar with its functionalities.

Within the ransomware tool configuration table used by affiliates, victim company domains were extracted. After manual validation, the number of unique domains targeted by ransomware affiliates was determined, identifying their geographical locations where possible.

A total of 555 unique domains and/or indicators related to targets from 64 different countries were identified. Of these, 68 were classified as “Other” due to the inability to determine their geographical location. However, they were included in the total count as potential targets possessing unique indicators and not appearing to be part of test attacks.

Of the 555 unique attacks identified by YCTI Team, 305 were conducted by affiliates with the “verified” rank, while 234 were by “newbie” affiliates. Notably, 55% of the attacks (305 events) were carried out by “verified” affiliates (experienced or accustomed to collaborating with Ransomware-as-a-Service groups), whereas 42% (234 events) were by “newbie” users (novice or less experienced affiliates). Considering the number of users with the “verified” rank (5 users) and “newbie” rank (36 users), it is evident that 55% of the attacks were executed by just 5 users, while 42% were conducted by 36 users. This highlights the importance of experience and skills also when operating within Ransomware-as-a-Service contexts.

It is important to note that the data pertains to the users’ ability to utilize the tools at their disposal and doesn’t necessarily indicate that the attack led to successful extortion or victim payment.

As previously mentioned, it is not possible to determine the current total workforce of the LockBit ransomware group solely based on the accounts identified within the compromised panel’s dump. The information suggests that the “Light” panel may have been considered a separate project, serving as a means to relaunch the ransomware group and attract new participants to LockBit’s RaaS program as part of a marketing strategy. It is likely not a coincidence that the announcement of LockBit 4.0 coincided with the announcement of the self-registration panel exposed on the .onion links shared earlier in the article. The need for new affiliates appears to remain a priority for the LockBit criminal group, especially considering the departure of affiliates following Operation Cronos aimed at dismantling the gang, which significantly slowed LockBit’s operations throughout 2024. Comparing the number of claims on LockBit’s DLS between January 1, 2024, and February 20, 2024 (the date of Operation Cronos’ announcement by the international public-private task force), with those from the same period in 2025, reveals a substantial difference in victims: 147 victims in 2024 compared to only 11 in 2025, indicating a 92% decrease in claims published on the Data Leak Site.

Victim Geography – Asia in the spotlight

Regarding the geolocation of validated targets, the YCTI Team observed that most events affected the Asian region, which, in our classification, also includes Middle Eastern countries:

Regions Targeted –  Source: YCTI Analysis

Considering attacks on organizations in individual countries, China emerged as the most affected, followed by the United States and South Korea:

TOP 10 Targeted Countries –  Source: YCTI Analysis

This is noteworthy, as data on ransomware attacks in China during 2024 collected by the YCTI Team and monitored through ransomware groups’ Data Leak Sites, show that China ranked 25th (out of 119 countries identified by the YCTI Team) for ransomware events, accounting for only 0.49% of claims made by ransomware groups on their Data Leak Sites.

Specifically for LockBit, in 2024, claims identified by the YCTI Team within the Data Leak Site concerning companies in China accounted for 0.11% of LockBit’s total victims.

For the first quarter of 2025, the YCTI Team identified zero claims against entities located in China within LockBit’s DLS.

This aspect leads to several considerations, some more probable than others:

• Targets in China often pay the ransom demanded by ransomware groups, thus not appearing on LockBit’s Data Leak Site.
• Negotiating with entities in China is challenging due to language barriers; negotiations may not be conducted at all, possibly depending on the LockBit affiliate’s experience.
• Validating targets in China is difficult. Analyst1’s[6] analysis of chats identified in the dump reveals difficulties some affiliates face in pinpointing the victim’s exact location, causing communication issues between the victim and the LockBit affiliate, even in identifying the targeted entity and sector.
• The data in the analyzed dump spans from December 19, 2024, to April 29, 2025. Since negotiation procedures take time, it is possible that Chinese companies choosing not to pay the ransom may appear on LockBit’s DLS in the coming months.
• Many chats between LockBit affiliates and their victims were found to be completely empty. It is possible the affiliates launched the attacks but never proceeded with negotiation processes.

By analyzing the configurations extracted from the ransomware builds, the YCTI Team was also able to identify the most active users. Below is the Top 20 list of the most active affiliates based on validated unique attacks.

Most Active Affiliates – TOP 20 – Source: YCTI Analysis

According to the data, the 20 most active affiliates were responsible for 91% of the unique attacks identified and validated by the YCTI Team.

Bitcoin Wallets and Affiliates Onboarding

Within the invites table, 3,449 unique Bitcoin and Monero addresses were identified, each linked to a corresponding invitation ID. A sample analysis of several wallets revealed that some showed transaction activity, while others were empty or inactive. By examining the “amount” column for each cryptocurrency address and converting values to USD based on the exchange rate at the time indicated in the “created_at” column, it was found that the amounts typically ranged between $750 and $800.

This suggests that these addresses were likely generated by affiliates through the Light panel or assigned or shared by LockBit administrators to aspiring operators as part of the symbolic affiliation fee to join the Ransomware-as-a-Service (RaaS) program.

In a December 2024 interview with researchers at DeepDarkCTI[7], LockBit confirmed that the cost to access the affiliate panel was $777.

Source: DeepDarkCTI

The login panels retrieved via ANY.RUN’s archive shows two icons for account creation through Bitcoin (BTC) or Monero (XMR) payments:

Source: ANY.RUN

The cryptocurrency addresses found in the btc_addresses table are still being analyzed by the YCTI Team. Any relevant findings will be shared in a future update to the report.

The Value of Negotiation Chats – TTPs and Insights into Ransom Payments

Negotiation chats offer an invaluable source of information, revealing not only the behavioral profiles and negotiation styles of affiliates, but also the tactics, techniques, and procedures (TTPs) used by the ransomware group.

In several cases, after the ransom was paid, victims asked the threat actors for advice on how their systems had been compromised and how to improve their security posture. In some instances, these chats revealed exactly how affiliates had accessed victims’ networks. Following are a few notable examples.

Example A:

• Threat Actor: Some tips to improve the security of your servers: First of all, to improve security, you need to change all Windows account passwords without exception. You need to change them to long and complex passwords. Secondly, you need to install antivirus software on all servers without exception (Kaspersky, Sophos, Bitdefender or other reliable antivirus software). You also need to more carefully monitor activity on the corporate network, look for unnecessary activity on the network (track traffic) and not run third-party software on machines without antivirus software.

Example B:

• Victim: So our vulnerability is simply that the password was too weak?
• Threat Actor: host admin needs to be removed from the domain and close the ports at the admin.
• backups do not show in the domain – and nas – domain is not a secure infostructure
• Victim: Got it, we’ll take this as a lesson learned. Thanks for the assistance.
• Threat Actor: and of course passwords, but they won’t help you if there are vulnerabilities in the domain

Example C:

• Victim: Sorry just wanted to clarify does this mean you were able to get XXXXX account through phishing as well?
• Threat Actor: We got into the network through a manager with user priv, and dump ntlm local admin access on all the hosts in the domain.
  Then we found the admin in the domain. XXX Admin:XXXXXX
• Victim: Could you help me a bit, may I ask the details of how you got access to our network? Did you exploit our public web app server or phish our users?
• Threat Actor: Remove the admin from the domain who controls infostructure, no matter what antivirus you install, the domain will always be vulnerable.
  Got to you through phishing, but I don’t remember the first host.
  And you had very easy passwords.
  I followed the work XXXXXXXX, and waited for him to log into Google Backup.
  About a month
• Victim: Thank you for this. May I ask another question, we’ve read from reports that you often use Anydesk in your attacks, can you explain how it is relevant to you?
• Threat Actor: Hello, you had anydesk installed on many hosts, we just used it to get back

Example D:

• Victim: Where are the loopholes?   how did you find our  server?  We want to fix the leak.
• Threat Actor: Traffic one of the managers, I don’t remember the first access pc
  remove the admin from the domain and make passwords better
  and this will not happen again.
• Victim: Thx
• Threat Actor: One nas is not enough for backups it is very unreliable.
• Victim: What is your good  suggestion?
• Threat Actor: At least hyper backup for nas to nas
  2 nas backup we do not go to it from the domain
  If you don’t want to spend a lot of money on security
  Everything in the domain is not safe.

Negotiation chats were also instrumental in determining how many victims actually paid the ransom. From the chat analysis conducted by the YCTI Team, negotiations were recorded for 208 victims, involving more than 4,000 messages exchanged between victims and affiliates.

Out of these 208 cases, 18 victims confirmed payment of the ransom, meaning that during the period between December 19, 2024, and April 29, 2025, roughly 8.7% of targeted companies paid a cryptocurrency sum to receive the decryption tool from LockBit affiliates.

By analyzing the timestamps of these negotiations, YCTI estimated that the average time between first contact and payment was 7.3 days, slightly more than a week. In certain cases, the ransom was paid almost immediately – either on the day of first contact or the following day.

Conclusions

This type of data analysis is crucial for cybersecurity researchers to profile affiliates involved in criminal activities and assess the current operational capabilities of the LockBit ransomware group.

User activity indicates that most affiliates are inexperienced, likely new to cybercrime, lacking both the time commitment and technical expertise required to run consistent and complex campaigns. Many seem to have joined out of curiosity or the thrill of testing criminal tools rather than committing to sustained operations. Key metadata such as usernames, session IDs, and ToX IDs tied to individual ransomware operators are valuable assets for ongoing investigations and correlation with other leaks (e.g., the BlackBasta internal chat dump).

Furthermore, analyzing affiliate target patterns shows a significant gap between the number of actual victims and those publicly disclosed via ransomware Data Leak Sites. This highlights major discrepancies in geographic impact and reporting, as most victims may never appear on public-facing leak platforms.

Finally, negotiation chat logs not only shed light on affiliate personalities but also serve as a rich source of intelligence on the tactics and techniques used by threat actors as well as a valuable source of Indicators of Compromise (IOCs) for command-and-control (C2) infrastructure or other malicious elements. As demonstrated in the examples, victims often asked how their systems were breached in hopes of closing those entry points – resulting in direct insights into the attackers’ methods and the misconfigurations they exploited.

 

References:

[1] https://www.bleepingcomputer.com/news/security/everest-ransomwares-dark-web-leak-site-defaced-now-offline/

[2] https://any.run/report/61d5d1599e704bcb46f6610712be8a2f8251434025c2da3ac32e7b36cb82c2f5/c9354f55-00b1-4a0b-b840-22b830b21def

[3] hxxps://x.com/ReyXBF/status/1920220381681418713

[4] https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html

[5] https://www.bleepingcomputer.com/news/security/black-basta-ransomware-gang-s-internal-chat-logs-leak-online/

[6] https://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/

[7] https://deepdarkcti.com/interview-3-lockbit/

Author:

Samuele De Tomas Colatin serves as the Cyber Intelligence Team Leader within the Yarix’s Cyber Threat Intelligence division (YCTI). Previously, he worked as a researcher at the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. He is currently trying to find a balance between updating MISP and living his private life. Spoiler: he has not succeeded yet.