Rey: Will you go back online to work? If so, how long will it take?
LockBitSupp: Only the Bitcoin addresses and conversation content were stolen, no decryptor was stolen. Yes, this indeed affects reputation, but restarting after repair will also affect reputation. The source code was not stolen. We are already working on recovery.
Rey: Okay, good luck. Thank you for your answer.
Leak Analysis
SlowMist immediately downloaded the related leaked files (only for internal research purposes, backup was promptly deleted). We conducted a preliminary analysis of the directory structure, code files, and database content, attempting to restore the architecture and functional components of LockBit's internal operating platform.
From the directory structure, this looks like a lightweight PHP architecture written for the LockBit victim management platform.
Directory structure analysis:
- api/, ajax/, services/, models/, workers/ show that the project has some modularity, but does not conform to the structure conventions of frameworks like Laravel (such as app/Http/Controllers);
- DB.php, prodDB.php, autoload.php, functions.php indicate that database and function bootstrapping are manually managed;
- vendor/ + composer.json uses Composer, suggesting third-party libraries may have been introduced, but the entire framework was likely self-written;
- victim/, notifications-host/ and other folder names are somewhat suspicious (especially in security research).
So we speculate that the hacker from "Prague" likely used a PHP 0 day or 1 day to compromise the web site and console.
Management console as follows:
Part of the chat communication information:
We look at the information in the red box: The victim's CEO from co ... Coinbase? Paying ransom?
Meanwhile, the leaked database involves about 60,000 BTC addresses:
The leaked database contains account passwords for 75 users:
Interesting bargaining chat:
Randomly finding a successful payment order:
Order address:
And using MistTrack to track Bitcoin receiving addresses:
The money laundering fund flow is quite clear, ultimately flowing into trading platforms. Due to space limitations, MistTrack will conduct more analysis on cryptocurrency addresses later, and those interested can follow X: @MistTrack_io.
Currently, LockBit has also issued the latest statement regarding this incident. Roughly translated as follows:
"On May 7, 2025, our lightweight control panel with automatic registration functionality was invaded, where anyone could bypass authorization and directly access the panel. The database was stolen, but it did not involve decryptors or sensitive data from victim companies. We are currently investigating the specific invasion method and initiating the rebuilding process. The main control panel and blog are still running normally."
"The alleged attacker is someone called 'xoxo' from Prague. If you can provide exact information about his identity—as long as the message is reliable, I am willing to pay for it."
LockBit's response is quite ironic. Previously, the US State Department had issued a reward notice, offering up to $10 million for obtaining the identity and location of LockBit's core members or key collaborators; meanwhile, to encourage the exposure of attacks by its affiliates, another reward of up to $5 million was offered.
Now, LockBit has been hacked and is conversely offering a price in its channel to find clues about the attacker—as if the "bounty hunter mechanism" has been turned back on itself, which is both laughable and further exposes the vulnerabilities and chaos in its internal security system.
Summary
Active since 2019, LockBit is one of the world's most dangerous ransomware groups, with cumulative ransom estimates (including unpublished data) of at least $150 million. Its RaaS (Ransomware as a Service) model attracts numerous affiliates to participate in attacks. Despite being hit by "Operation Cronos" law enforcement in early 2024, it remains active. This incident marks a significant challenge to LockBit's internal system security, potentially affecting its reputation, affiliate trust, and operational stability. It also demonstrates the trend of "reverse attacks" in cyberspace against cybercrime organizations.
The SlowMist security team recommends:
- Continuous intelligence monitoring: closely track LockBit's reconstruction dynamics and potential variant versions;
- Monitor Dark Web trends: real-time tracking of related forums, sites, and intelligence sources to prevent secondary leaks and data misuse;
- Strengthen RaaS threat defense: sort out one's own exposure surface and enhance identification and blocking mechanisms for RaaS tool chains;
- Improve organizational response mechanisms: if direct or indirect association with one's organization is discovered, immediately report to supervisory authorities and activate emergency plans;
- Coordinate fund tracking and anti-fraud: if suspicious payment paths are found flowing into one's platform, strengthen anti-money laundering prevention by combining on-chain monitoring systems.
This incident once again reminds us that even technically capable hacker organizations cannot completely avoid cyber attacks. This is also one of the reasons why security practitioners continue to fight.
Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests, and are unrelated to Web3Caff's stance. The information in the articles is for reference only and does not constitute any investment advice or offer, and please comply with the relevant laws and regulations of your country or region.
Welcome to join the Web3Caff official community: X(Twitter) Account丨WeChat Reader Group丨WeChat Official Account丨Telegram Subscription Group丨Telegram Communication Group
