The world’s former most prolific ransomware gang just got hacked, with threat actors leaving a note, “Don’t do crime.”
The LockBit ransomware gang, a long-standing fixture of the global ransomware ecosystem, has suffered an apparent breach of its own systems.
The dark web affiliate panels used to coordinate attacks were defaced earlier this week, replaced with a stark message: “Don't do crime. CRIME IS BAD xoxo from Prague.”
The defacement, first noticed by threat actor and researcher Rey, included a link to download a file named paneldb_dump.zip with a database from its affiliate management portal.
According to Rey, the dump was created around April 29th, suggesting that LockBit was compromised on or prior to that date, before being defaced on May 7th. No group has yet claimed responsibility.
While the full implications of the breach remain unclear, it questions the internal security and stability of the ransomware-as-a-service (RaaS) model.
Trust and operational secrecy are central to these criminal enterprises. A leak or compromise of affiliate infrastructure can undermine confidence and disrupt the flow of attacks.
So LockBit just got pwned ... xD pic.twitter.com/Jr94BVJ2DM
undefined Rey (@ReyXBF) May 7, 2025
Confirmation of the breach came directly from a LockBit representative known as LockBitSupp, who acknowledged the compromise in a Tox chat with Rey.
The spokesperson claimed that although the defacement was real, no private encryption keys or stolen company data were exposed, and no sensitive operational data was permanently lost. According to Lockbit, only Bitcoin addresses and conversations with companies have been stolen from the panel.
“The source code is not stolen. I’m already working on getting back to work,” writes LockBitSupp in chat.
At the time of writing, Lockbit’s site on the dark web has been up again and running.
Breach signals a weakening position
Ferhat Dikbiyik, Chief Research & Intelligence Officer (CRIO) at Black Kite, told Cybernews that the breach of their own infrastructure has real consequences. According to him, affiliates have been migrating to other ransomware groups or launching their own Ransomware-as-a-Service (RaaS) operations.
“That’s part of why we’re now seeing a surge in fragmentation: over 90 active ransomware groups today, compared to just 40+ during LockBit’s 2023 peak. These affiliates are fueling the growth of newer, more agile operations,” he said. “In a business built on reputation and anonymity, LockBit’s loss of control doesn’t just damage them, it reshapes the ecosystem.”
What is Lockbit?
The attack follows a string of blows dealt to LockBit by international law enforcement. In early 2024, authorities launched Operation Cronos, a coordinated effort involving agencies from 11 countries.
The operation resulted in the seizure of 34 servers, the takedown of LockBit’s data leak sites, and the recovery of over 1,000 decryption keys used to help victims unlock their data without paying ransoms.
Over 200 cryptocurrency wallets linked to the criminal organization have allegedly been seized in the bust. While the gang managed to resume illicit activities after the seizure, its operational capacity has been slowing down.
In February this year, the supposed head of the LockBit ransomware cartel claimed to have stolen data that could “destroy” the FBI's structure.
In March, Rostislav Panev, a 51-year-old Russian and Israeli national, was extradited to the United States on charges of being a Lockbit developer. According to the Department of Justice, Panev earned about $230,000 in cryptocurrency for his work between June 2022 and February 2024.
The Russia-linked group first appeared on the ransomware scene in late 2019, according to industry insiders.
Since then, the gang has climbed to the top of the food chain, becoming one of the most active ransomware gangs of the time. In 2022 and 2023, LockBit was responsible for 40% of all ransomware attacks.
Your email address will not be published. Required fields are markedmarked