LockBit bungles attempt to rebrand as DarkVault


The LockBit cybercriminal outfit appears to be planning a ransomware rebrand as the DarkVault, discovered by security researchers Wednesday after LockBit seemingly bungled the new website’s design.

The ransomware faux pas was hidden in plain sight, according to security researcher Dominic Alvieri, who first spotted the give-away and posted about it on X.

When taking a look at DarkVault’s recently launched dark blog, Alvieri happened to notice parts of the site contained several of LockBit's current branding designs.

Alvieri posted two screenshots side by side, each from two different onion web addresses depicting two separate online mirror sites belonging to the new group.

“New LockBit style DarkVault #2 on left. Dark Vault 1 on your right,” the post read.

The page on the left looks like a replica of LockBit’s current dark leak site – down to the font, the use of red and white, and even the format of the gang’s infamous ransom demand countdown clock.

In another later X post, Alvieri spotted another design snafu showing the LockBit logo next to the wording 'DarkVault Blog.”

DarkVault site LockBit logo
Image by Cybernews.

At some point, LockBit must have become aware of the mistake – the gang is known to keep tabs on social platforms, such as X, to track the latest media mentions – and any design similarities belonging to the Lockbit miraculously disappeared.

Cybernews was able to view both of the DarkVault mirror sites, and can confirm that any traces of LockBit on DarkVault’s blog are long gone.

While the layout of DarkVault’s new ransomware blog appears to be completed, the blog is devoid of victims at this time.

“DarkVault is an exclusive online community dedicated to exploring the depths of technology, privacy, and security,” DarkVault posted in its announcement page.

“Our members share a passion for understanding the digital realm and safeguarding their online presence. Within our virtual haven, we delve into discussions about cybersecurity, encryption, and the latest developments in digital privacy. Join us on a journey to unravel the mysteries of the digital world, one discussion at a time, it said.

DarkVault site introduction
DarkVault leak site. Image by Cybernews.

The two founders of DarkVault, usernames ‘Neroces’ and ‘criminaldo. ’are listed on the contact page under staff.

Besides the usual tabs, it seems the group may be expanding its services with several new categories to include “Doxes, BlackHat Services, and Pwned Sites.”

Although most of the pages were still empty, the BlackHat Services category listed a plethora of illegal activities and financial frauds, apparently the group is willing to carry out for the right price.

Included in the nefarious list are benign activities such as defacing websites, bank check templates, cookie logins, and spamming – but other actions such a bomb threatening, drug recipes, account brute-forcing, and malware creation are much more sinister.

DarkVault site BlackHat services
DarkVault leak site. Image by Cybernews.

Also worth noting, the artwork used in the blog includes a rendering of a cat sitting on top of a vault – sort of ironic considering the beef between LockBit and fellow ransomware gang ALPHV/BlackCat, who faked its own takedown last month after carrying out a $22 million ransomware attack on UnitedHealth.

In early February, LockBit servers were seized by the FBI, but just weeks later the group was back up and running, successfully targeting Ernest Health, a network of specialty hospitals located across the US.

Both LockBit and ALPHV sit on the top of the ransomware crime food chain, both are developed by syndicates with strong ties with cyber underworld in Russia.

The threat actors are said to have executed over 1,400 attacks against victims in the US and around the world, including Asia, Europe, and Africa.

According to the Cybernews Ransomlooker, a ransomware monitoring tool, the LockBit gang was responsible for 47% of all publicly announced ransomware victims in the last 12 months.