Inside the LockBit Leak: Rare Insights Into Their Operations

The notorious LockBit ransomware operation suffered a major setback on May 7, 2025, when unknown attackers breached and defaced their affiliate login panels. The defacement included a pointed message, “Don’t do Crime CRIME IS BAD xoxo from Prague.” But the bigger setback came when the attackers leaked an SQL database containing multiple tables and datasets from LockBit’s administrative panel, an interface used by affiliates and administrators to manage ransomware activities.

Now, with the tables turned, the data breach offers an unprecedented look into one of the most prolific ransomware operations of the last decade. The leaked data exposes key elements of LockBit’s internal infrastructure, including details about its affiliates, victim organizations, ransom demands, and private communications, offering new visibility into the group’s operations and leveraging of potential vulnerabilities.

PHP Vulnerability CVE-2024-4577: A Possible Entry Point?

Flashpoint analysts assess that the leaked SQL data was likely created on April 29, 2025, and the affected server was running PHP version 8.1.2. This version of PHP is vulnerable to CVE-2024-4577, which can be used to achieve remote code execution.

While our analysts cannot definitively confirm that CVE-2024-4577 was the initial access vector for the attack, Flashpoint identified active exploitation of the vulnerability as early as June 7, 2024, and included it in the Flashpoint Weekly Vulnerability and Prioritization Report. Since its discovery, our analysts have observed several threat actors soliciting both private and publicly available exploit code on illicit marketplaces and forums.

Examining the LockBit Data Leak

The Flashpoint Intelligence team is still examining data from the LockBit breach, and in the future, will provide additional intel based on findings from this data to our customers. Here are the notable datasets our analysts have found:

1. Users

Flashpoint uncovered information pertaining to about 75 LockBit system users, likely affiliates or administrators. This table includes usernames, plaintext passwords, and messenger IDs.

2. Ransomware Builds

Used for storing metadata related to ransomware builds, this dataset includes victim company domain names, with revenue amounts and dates. Over 630 unique domains are included, however, an ample amount are not actual victims, mostly being used for testing purposes.

3. System Invalid Requests

This table tracks invalid or unauthorized requests made to the LockBit ransomware-as-a-service system, which the threat actor group leveraged for identifying attempts at exploitation.

4. Ransoms and Invites

This dataset contained invitation tokens and links that were sent to victims to initiate negotiations. Each invite is associated with a Bitcoin or Monero wallet address and amount of the demanded ransom.

5. Files

This dataset was used for storing metadata pertaining to files that were either uploaded, processed, or stored within the system.

6. Victims

Referred to as “clients,” the SQL leak contained information pertaining to LockBit victims.

7. Bitcoin Addresses

This dataset stored Bitcoin addresses associated with users or builds in the system. There are approximately 60,000 cryptocurrency addresses in the table.

8. Chats

Likely a repository of communications between LockBit and its victims. There are nearly 4,200 messages which appear to be from victims attempting to recover their data.

LockBit’s Response

Soon after the leak, a LockBit member made a statement on the group’s Telegram channel, claiming that the LockBit source code was not stolen, nor were decryptors or encrypted “company” information. This same message was shared on LockBit’s main blog site. In addition, the group solicited information regarding the threat actor behind the breach, stating that they are willing to pay for any information.

LockBit is not alone as Flashpoint is also monitoring multiple leaked databases from other ransomware and related groups such as Conti and BlackBasta. However, there are no observable overlaps between those leaks and LockBit.

Defend Against Ransomware Using Flashpoint

Flashpoint continuously monitors known ransomware groups via extensive sources including underground forums and dark web channels. Using Flashpoint, organizations can stay ahead of ransomware attackers and better understand threat actor methodologies to prevent potential attacks and improve incident response playbooks.

“The ransomware dashboard made my life so much easier by providing our executives with the insights they need on ransomware. It saved a ton of time too, as it’s so helpful that it can be downloaded into multiple formats, excerpted into briefings, and be leveraged into analyses.”

Head of Intelligence, Global Financial Services Company

Request a demo for comprehensive threat intelligence that provides critical insights into threat actor targeting patterns and negotiation tactics. Flashpoint customers can download the full breached LockBit data via the Flashpoint Ignite Platform.