Open in app

Sign in

Write

Sign in

When Hackers Get Hacked: Analyzing the Breach of LockBit

SlowMist
8 min read3 days ago

Background: Who is LockBit?

LockBit is an active Ransomware-as-a-Service (RaaS) operation that first appeared in September 2019. It was initially known as the “ABCD ransomware” due to the “.abcd” extension it appended to encrypted files. The group is known for its technical sophistication, high degree of automation, and efficient extortion tactics. It has launched widespread attacks against enterprises, governments, educational institutions, and healthcare systems worldwide, and has been designated as an Advanced Persistent Threat (APT) by multiple national security agencies. We previously disclosed information about this group last year.

LockBit has evolved through several versions:

  • LockBit 1.0 (2019): Identified by the “.abcd” extension; supported Windows platforms; used RSA + AES encryption algorithms; known for its fast execution.
  • LockBit 2.0 (2021): Introduced automated propagation features to improve extortion efficiency.
  • LockBit 3.0 / LockBit Black (2022): Featured modular design and strong anti-analysis capabilities; also launched the first bug bounty program offering rewards to external researchers for testing the ransomware.
  • LockBit Green (alleged 2023 version): Rumored to have integrated parts of the now-defunct Conti ransomware gang’s code.

As a typical RaaS model, LockBit’s core developers provide the ransomware toolkit, while “affiliates” carry out the actual attacks, infiltration, and deployment. The profits are split, with attackers typically receiving 70% of the ransom. LockBit also uses a highly coercive “double extortion” tactic: encrypting files while also stealing data and threatening to release it if the ransom isn’t paid, posting stolen data on dedicated leak sites.

On the technical side, LockBit supports both Windows and Linux systems, employs multithreaded encryption and AES-NI instructions for high performance, and can move laterally within internal networks (e.g., via PSExec or RDP brute force). Before encryption, it actively shuts down databases and deletes backups and key services.

LockBit attacks are typically systematic and exhibit classic APT characteristics. The general attack chain is as follows:

  • Initial access (phishing emails, exploit vulnerabilities, weak RDP credentials)
  • Lateral movement (using tools like Mimikatz, Cobalt Strike)
  • Privilege escalation
  • Data exfiltration
  • File encryption
  • Ransom note delivery
  • Data publication on leak sites (if ransom is not paid)

LockBit has been behind several high-profile incidents:

  • In 2022, it attacked the Italian Revenue Agency, affecting data on millions of taxpayers.
  • It claimed responsibility for an intrusion into Canada’s SickKids Hospital, later apologized, and provided a decryption tool.
  • Numerous manufacturers, including those in defense and medical sectors, have been encrypted by LockBit.
  • In Q2 of 2022, LockBit accounted for over 40% of global ransomware attacks.
  • The group has impacted more than 1,000 companies — far surpassing older groups like Conti and REvil.
  • Its extortion success rate is notably high, with over half of its $100 million ransom demand in 2022 being successfully paid.

Still, even LockBit isn’t invincible. On February 19, 2024, its websites were seized in a coordinated law enforcement operation — “Operation Cronos” — by the UK’s National Crime Agency, the FBI, Europol, and INTERPOL. Several LockBit members were arrested or placed on wanted lists, though the core development team was not completely dismantled. Some ransomware samples remain active on the dark web and are still being used by affiliated groups.

Breaking News: LockBit’s Site Was Hacked

Today, SlowMist received intelligence that LockBit’s onion site was hacked. The attackers not only took control of its management panel but also released a packaged file containing the database. As a result, LockBit’s database was leaked, including Bitcoin addresses, private keys, chat records, and associated companies — highly sensitive information.

Even more dramatic, the hackers left a cryptic message on the defaced site:

“Don’t do crime CRIME IS BAD crime is bad xoxo from Prague”

Shortly after, the leaked data was uploaded to platforms like GitHub and quickly spread.

LockBit’s official channel later responded in Russian. Here’s a rough translation of the conversation:

Rey: LockBit pwned? Anything on that?

LockBitSupp: Only the lightweight panel with an authorization code was breached. No decryptors were stolen, and no company data was affected.

Rey: But that means Bitcoin addresses, chat logs, and keys were leaked… this will hurt your reputation, right?

Rey: Were the locker builder or source code stolen?

Rey: Will you resume operations? If so, how long will it take?

LockBitSupp: Only Bitcoin addresses and chat logs were leaked. No decryptors were stolen. Yes, this affects our reputation, but so would relaunching after patching the system. The source code was not stolen. We’re already working on recovery.

Rey: Got it. Good luck. Thanks for the reply.

Leak Analysis

SlowMist promptly downloaded the leaked files (some images originate from screenshots of dashboards and source code leaked in 2024, used solely for internal research purposes; all backups have been deleted in a timely manner). We conducted a preliminary analysis of the directory structure, code files, and database contents, aiming to reconstruct LockBit’s internal platform architecture and its functional components.

From the directory structure, this appears to be a lightweight PHP-based victim management platform used by LockBit.

Directory Structure Analysis:

  • Folders like api/, ajax/, services/, models/, and workers/ suggest a certain level of modularity, but don’t follow conventions of common frameworks like Laravel (e.g., app/Http/Controllers).
  • Files such as DB.php, prodDB.php, autoload.php, and functions.php indicate manual management of database connections and function loading.
  • The presence of vendor/ and composer.json shows that Composer was used—implying that third-party libraries were likely introduced, though the framework itself seems custom-built.
  • Folder names like victim/ and notifications-host/ are suspicious—especially in a security context.

Hence, we speculate that the hacker from “Prague” likely exploited a PHP 0-day or 1-day vulnerability to compromise the web backend and management console.

Below is the previously leaked management console.

Historical chat communication screenshot:

Looking at the red boxed content:
Did the victim pay the ransom from co… Coinbase?

Additionally, the leaked database contains around 60,000 BTC addresses:

There are 75 user account credentials in the leaked database:

Interesting Ransom Negotiation Chat:

Random Successful Payment Record:

Order Address:

We used MistTrack to trace the Bitcoin receiving address:

The money laundering flow is relatively clear, eventually leading into cryptocurrency exchanges. Due to space constraints, MistTrack will continue its analysis of these crypto addresses. If you’re interested, follow us on X: @MistTrack_io

LockBit has released an updated statement on the incident, roughly translated as follows:

“On May 7, 2025, one of our lightweight panels with auto-registration capability was compromised. Anyone could bypass authentication and access it directly. The database was stolen, but no decryptors or sensitive data from victim companies were involved. We are investigating the exact method of intrusion and have initiated the rebuilding process. The main control panel and blog remain operational.”

“It’s said that the attacker is someone named ‘xoxo’ from Prague. If you can provide accurate and reliable information about this person’s identity — I’m willing to pay for it.”

LockBit’s response is rather ironic. Previously, the U.S. Department of State issued a bounty of up to $10 million for information leading to the identification or location of LockBit core members or key collaborators. An additional $5 million was offered to incentivize the reporting of LockBit affiliates’ attack activities.

Now, LockBit itself has been hacked and is turning to bounty-hunting tactics to find the attacker — effectively being bitten by its own reward mechanism. This is both ironic and revealing, exposing significant security gaps and internal chaos within the group.

Summary

Since its emergence in 2019, LockBit has become one of the most dangerous ransomware groups in the world, with an estimated total ransom revenue — both public and undisclosed — exceeding $150 million. Its Ransomware-as-a-Service (RaaS) model has attracted a large number of affiliates to participate in attacks. Although the group suffered a law enforcement blow in early 2024 during Operation Cronos, it has remained active.

This incident marks a major challenge to LockBit’s internal system security, which may impact its reputation, affiliate trust, and operational stability. At the same time, it reflects an emerging trend of “counterattacks” against cybercrime organizations within cyberspace.

SlowMist Security Team Recommendations:

  • Continuous Threat Intelligence Monitoring: Closely track LockBit’s recovery efforts and potential variant releases.
  • Dark Web Surveillance: Monitor relevant forums, sites, and intelligence sources in real time to prevent secondary leaks and data abuse.
  • RaaS Threat Defense Reinforcement: Review your organization’s exposure and strengthen identification and blocking of RaaS toolchains.
  • Enhanced Incident Response Mechanisms: If there’s direct or indirect relevance to your organization, immediately report to supervisory authorities and activate emergency protocols.
  • Crypto Transaction Tracking & Anti-Fraud Coordination: If suspicious payment routes are found flowing into your platform, enhance anti-money laundering controls in coordination with blockchain monitoring tools.

This incident serves as a stark reminder that even the most technically capable hacker groups are not immune to cyberattacks. It’s one of the many reasons cybersecurity professionals must continue the fight — relentlessly.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.

--

--

SlowMist
SlowMist

Written by SlowMist

3.6K followers
6 following

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech