Full Report
In this week’s newsletter, Thor inspects the LockBit leak, finding $10,000 “security tips,” ransom negotiations gone wrong and a rare glimpse into the human side of cybercrime.
Analysis Summary
This summary focuses on the incident where the LockBit affiliate panel data was exposed following an intervention, as this is the primary event detailed with a timeline and specific artifacts provided in the source material.
# Incident Report: LockBit Ransomware Affiliate Panel Data Exposure
## Executive Summary
In May 2025, the LockBit ransomware operations platform was defaced, allegedly by an actor operating out of Prague. This incident resulted in the public release of an SQL database dump containing sensitive operational data, including nearly 60,000 Bitcoin addresses, administrator credentials, and thousands of negotiation chat logs with victims. The exposure provides an unprecedented look into LockBit's negotiation strategies, internal processes, and affiliate management practices.
## Incident Details
- **Discovery Date:** Approximately May 2025 (Date of defacement/release)
- **Incident Occurrence:** Release occurred "last week" prior to May 15, 2025. Activity within the exposed chats spans from December 2024 to April 2025.
- **Affected Organization:** LockBit Ransomware Group (Targeted asset was their dark web affiliate panel infrastructure)
- **Sector:** Cybercrime Infrastructure
- **Geography:** Attribution points toward Prague, Czechia, for the defacement action.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Refers to the compromise leading to the data exposure)
- **Vector:** Compromise of the LockBit dark web affiliate panel infrastructure.
- **Details:** An actor defaced the panel, replacing it with a message stating, "Don't do crime CRIME IS BAD xoxo from Prague."
### Lateral Movement
*Not explicitly detailed, as the incident focuses on the data exposure of the panel itself, not an external victim network infection.*
### Data Exfiltration/Impact
- **Details:** The attacker exfiltrated and subsequently published an SQL database dump (`paneldb_dump.zip`). This data included:
* Nearly 60,000 Bitcoin addresses.
* Credentials for 75 admins and affiliates (plaintext passwords).
* 4,423 negotiation messages across 208 victims (Dec 2024 – Apr 2025).
* Internal LockBit "tips" for affiliates (e.g., negotiation pressure tactics).
### Detection & Response
- **Detection:** Public observation of the defaced LockBit panel by security researchers.
- **Response Actions:** The immediate action was the publishing of the raw SQL data dump, effectively taking down the operational panel and exposing internal processes.
## Attack Methodology
*This section describes the *exfiltration* methodology against LockBit's infrastructure, not a traditional victim attack chain.*
- **Initial Access:** Compromise of the dark web panel infrastructure.
- **Persistence:** Not applicable to the data dump event.
- **Privilege Escalation:** Not explicitly detailed, but implied gained elevated access to the primary database.
- **Defense Evasion:** Assumed successful evasion of LockBit's internal security monitoring before data extraction.
- **Credential Access:** Acquired administrative and affiliate credentials, which were stored in plaintext within the database ("plaintext passwords").
- **Discovery:** Access to the "chats" table revealed negotiation topics, ransom amounts ($1k to $2M), and tactics.
- **Lateral Movement:** Not applicable.
- **Collection:** Extraction of the core operational SQL database tables.
- **Exfiltration:** Creation and publication of the compressed SQL dump file.
- **Impact:** Operational disruption and significant exposure of LockBit's negotiation tactics and user data.
## Impact Assessment
- **Financial:** Not directly calculated, but the exposure revealed ransom demands ranging up to \$2 million.
- **Data Breach:** Exposure of sensitive LockBit metadata, including nearly 60,000 financial transaction identifiers (Bitcoin addresses) and 75 sets of internal credentials.
- **Operational:** Severe disruption to LockBit's affiliate communication and management structure.
- **Reputational:** Significant damage to the perceived operational security and authority of the LockBit group.
## Indicators of Compromise
- **Network Indicators:** (None provided for an external victim, only artifacts related to the dump itself)
- **File Indicators:**
* `paneldb_dump.zip` (SHA 256: e00aa8146cf1202d8ba4fffbcf86da3c6d8148a80bb6503d89b0db2aa9cc0997)
- **Behavioral Indicators:** Defacement of a known ransomware infrastructure panel.
## Response Actions
*Response actions documented are related to actions taken by the actor who exposed the data, not organizational IR.*
- **Containment:** Takedown/defacement of the live LockBit panel.
- **Eradication:** Public release of the data acted as a form of external eradication/exposure.
- **Recovery:** LockBit would need to rebuild their entire platform structure and potentially reset internal credentials.
## Lessons Learned
- **Key Takeaways:** LockBit affiliates and administrators stored critical credentials (including passwords) in plaintext within their database, demonstrating severe operational security flaws. The group utilized sophisticated pressure tactics, including coordinating ransom payments among multiple directors.
- **What could have been done better:** LockBit failed to secure their core operational data, allowing a single dump to reveal negotiation strategies and thousands of internal conversations.
## Recommendations
- **Prevention Measures for Similar Incidents (General IR):** Implement strong encryption for all stored secrets, including database passwords. Adopt compartmentalized operational structures to prevent a single breach from compromising the entire infrastructure. Regularly audit data stores for plaintext credential exposure.