¡Hola, mi gente! It’s your cybersecurity amigo here, and let me tell you, the chisme in the digital streets is caliente. You remember LockBit, right? That big-shot ransomware crew, the matones of the cyber world? Well, it looks like their casa got broken into… again! This past May 2025, these guys, who think they are so listos, suffered a major breach of their dark web infrastructure. ¡Qué escándalo!
The “xoxo from Prague” Calling Card
So, picture this: early May 2025, and LockBit’s affiliate panels – you know, their little clubhouse where they manage their dirty work – suddenly get a makeover. Instead of their usual scary stuff, there’s a message: “Don’t do crime. CRIME IS BAD xoxo from Prague.” Imagínate! Someone with some serious cojones not only waltzed into their systems but left them a little note, like a digital Zorro.
And the cherry on top? A little present: a 7.5 MB file named paneldb_dump.zip. This wasn’t just any basura; it was a MySQL database dump, a juicy piece of their operational data from December 2024 to April 2025. We’re talking about details of 75 of their admins and affiliates, and get this, with plaintext passwords! Madre mía, some of these passwords were like “Weekendlover69.” Seriously, these guys are teaching masterclasses in what not to do.
This “xoxo from Prague” message? It’s not the first time we’ve seen it. The Everest ransomware gang got the same love note back in April 2025. Sounds like we have a vigilante, a “ransomware hunter,” making the rounds. Interesante, ¿no?
LockBit’s main man, “LockBitSupp” (who the federales say is Dmitry Yuryevich Khoroshev), tried to play it cool, saying it wasn’t a big deal. But come on, chico, your dirty laundry is out for everyone to see! This is a huge hit to their reputation, especially after “Operation Cronos” back in February 2024, when law enforcement really messed up their party and told everyone Khoroshev’s name.
What Was in That paneldb_dump.zip? A Goldmine, Compadre!
This leaked database is like Christmas came early for law enforcement and us good-guy cybersecurity folks. Let’s break down the tesoro (treasure) found:
usersTable: Like I said, 75 admins and affiliates with their usernames and passwords in plain text. ¡Qué horror! This is an OPSEC (Operational Security) nightmare for LockBit.chatsTable: Almost 4,500 negotiation chat logs with victims. We can see how they talk, how they pressure people, their ransom demands (from a few miles to over $150,000), and sadly, the desperation of the victims.btc_addressesTable: Nearly 60,000 Bitcoin addresses used for collecting ransoms. LockBitSupp says no private keys were lost, but these addresses are golden for tracking the money. Sigue el dinero! (Follow the money!)buildsTable: Info on custom ransomware builds, sometimes even naming the companies they were targeting. This is direct evidence of who they were going after.
This data is a goldmine! It shows LockBit’s playbook, their financial trails, and who is in their crew. The fact they stored passwords in plaintext? No bueno. It tells you a lot about their internal security culture, or lack thereof.
Who Dunnit? And How? The PHP Connection
So, who is this “Prague” hacker? We don’t know for sure. A vigilante? A rival gang? LockBitSupp is apparently offering a reward to find out. Buena suerte with that, especially since the US government has a $10 million reward for him.
The how is a bit clearer. It looks like the hackers exploited a PHP vulnerability, specifically CVE-2024-4577. Reports say LockBit’s server was running a vulnerable PHP version (8.1.2). This is a classic RCE (Remote Code Execution) vulnerability – basically, it lets the bad guys run their own code on your server. The irony, mi gente, is that these ransomware groups make their living exploiting unpatched vulnerabilities in other people’s systems, and here they are, caught with their own digital pants down.
LockBit’s Reputation? En el Piso (On the Floor)
LockBitSupp tried to downplay it, saying only a “light panel” was hacked and no victim data or decryptors were damaged. Por favor! The leaked database is sensitive operational data. This isn’t just a scratch; it’s a gaping wound.
This breach, after Operation Cronos, pretty much destroys any credibility LockBit had left. Affiliates – the freelancers who do the dirty work for LockBit – are going to be thinking twice. Would you trust your criminal enterprise to a group that can’t even protect its own passwords? ¡Ni loco! This is likely to cause a big loss of trust and an exodus of affiliates.
What This Means for the Bad Guys and for Us
This is more than just LockBit’s problem. It shakes the whole RaaS (Ransomware-as-a-Service) market. Other cybercrime groups might see this as a chance to grab LockBit’s unhappy affiliates, or they might be sweating, checking their own security. We could see the ransomware world become even more fragmented.
For us, the defenders, this leak is a gift.
- Financial Tracing: Those Bitcoin addresses? Law enforcement can use them to follow the money, uncover laundering schemes, and maybe even identify more bad guys.
- Identifying Actors and Victims: Usernames, passwords, chat logs, targeted company names – it’s all there to help identify LockBit members and victims who maybe didn’t report their attacks.
- Understanding TTPs: The data gives us incredible insight into their Tactics, Techniques, and Procedures. We can learn how they negotiate, how they build their malware, and use that to build better defenses. Security companies are already creating tools, like “LockbitGPT,” to analyze this data.
The Bigger Picture: No One is Invincible
LockBit used to be the bogeyman, the top dog. Operation Cronos showed they could be hit by law enforcement. This May 2025 breach shows they can be hit by other hackers because of their own sloppiness. It’s a lesson for everyone, even the criminals: basic cybersecurity hygiene is non-negotiable. Patch your systems, use strong passwords (and for crying out loud, don’t store them in plaintext!), and use MFA.
This whole mess is a stark reminder that in cybersecurity, you can never get complacent. The attackers, even the supposedly sophisticated ones, can make dumb mistakes. And when they do, it’s an opportunity for us to learn and strengthen our defenses.
So, what’s next? The cybercrime world is always changing. This LockBit breach will definitely cause some shifts. For us, it’s a chance to use this intelligence to get ahead, even if just for a little while.
Stay safe out there, mis amigos, and keep those systems patched! ¡Hasta la próxima!
Javiertech 
Leave a comment