- LockBit’s dark web infrastructure has been hijacked and defaced by an unknown actor
- Internal databases containing victim chats and affiliate details have been publicly leaked
- Cybersecurity experts have confirmed the breach as authentic and potentially damaging to the group
In a wonderful stroke of irony, the LockBit ransomware gang, one of the most prolific cybercriminal groups in recent years, has been hacked. In a dramatic reversal of roles, the group’s dark web leak sites were taken over and replaced with a mocking message, while sensitive operational data was dumped online. The breach has exposed a treasure trove of internal communications and affiliate records, shaking the group’s credibility within the cybercrime ecosystem. The hack comes almost a year to the day since the group’s leader was identified as Russian national Dmitry Khoroshev.
Defacement and Data Dump
Visitors to LockBit’s leak site on May 8 were met with a message reading, “Don’t do crime. CRIME IS BAD. xoxo from Prague,” suggesting the attacker’s intent was both disruptive and symbolic. Alongside the message was a link to a MySQL database containing over 500MB of internal data, including victim negotiation transcripts, affiliate usernames, and details of ransom payments. This represents one of the most significant leaks of data from a ransomware group to date.
The leaked database offers rare insight into the ransomware-as-a-service model LockBit has employed, showing how affiliates submitted victims, negotiated demands, and split proceeds. Some of the conversations appear to show the group’s aggressive tactics, even targeting small businesses and nonprofits. Analysts reviewing the data believe this could damage LockBit’s appeal to prospective affiliates, who depend on the group’s anonymity and operational security.
Rival Gang or White Hats?
Security researchers have confirmed the data’s authenticity, though it remains unclear who is behind the breach. Speculation ranges from a rival gang to a disgruntled insider or even a law enforcement sting. The group has previously recovered from takedowns, including a multinational law enforcement effort in 2024, but this incident may prove more damaging due to the depth of exposure.
LockBit’s ability to bounce back is in question, given the scale of the breach. With its internal secrets laid bare, confidence among affiliates may falter. While the group could rebrand or relocate, the psychological and operational blow is undeniable. For now, one of the world’s most feared ransomware groups finds itself the victim — of its own game.
