The cybersecurity world witnessed an unprecedented breach on May 7, 2025 when an anonymous threat actor known as “xoxo from Prague” successfully infiltrated LockBit’s administrative panel, replacing their Tor website with the message “Don’t do crime CRIME IS BAD xoxo from Prague.”

This audacious attack resulted in the complete compromise and public release of LockBit’s SQL database dump, containing sensitive operational data spanning from December 18, 2024, to April 29, 2025.

The leaked database represents one of the most significant intelligence breaches in ransomware history, offering an unprecedented glimpse into the inner workings of a major Ransomware-as-a-Service (RaaS) operation.

The compromised data encompasses critical information about LockBit’s affiliate network, victim organizations, negotiation transcripts, cryptocurrency wallet addresses, and ransomware build configurations.

This breach occurred just one month after a similar defacement of the Everest RaaS platform, suggesting a coordinated campaign against ransomware infrastructure.

Following extensive analysis, Trellix researchers identified and validated the authenticity of the leaked database, confirming with high confidence that it originated from LockBit’s legitimate affiliate administration panel.

The researchers discovered that this panel facilitated the generation of ransomware builds utilizing LockBit Black 4.0 and LockBit Green 4.0 variants, compatible with Linux, Windows, and ESXi systems, while providing comprehensive access to victim negotiation interfaces.

The timing of this breach coincides with LockBit’s operational resurgence following the third phase of Operation Cronos in October 2024.

After a period of reduced activity, the group announced LockBit 4.0 in December 2024 and subsequently introduced their “Lite” panel featuring auto-registration functionality.

This new approach allowed virtually anyone to join their affiliate program for a registration fee of $777 USD, marking a significant shift in their recruitment strategy.

The leaked data reveals LockBit’s extensive global reach, with 156 unique clients mentioned in the database and 103 confirmed victim organizations that engaged in direct negotiations with affiliates.

Analysis of the geographic distribution shows China as the primary target, followed by the United States, Taiwan, Brazil, and Turkey. The manufacturing sector emerged as the most frequently targeted industry, followed by consumer services, software/IT, finance, and government institutions.

The comprehensive analysis of LockBit’s leaked database reveals a sophisticated affiliate ecosystem comprising 75 documented members with varying levels of access and operational capabilities.

The leaked user table contained detailed information including cleartext passwords and affiliate classifications ranging from “newbies” and “pentesters” to “scammers” and “verified” operators.

Among these, only five affiliates—Brown, btcdrugdealer, Christopher, JamesCraig, and Swan—achieved “verified” status, indicating their elevated standing within the organization.

The financial architecture underlying LockBit’s operations demonstrates a traditional RaaS revenue-sharing model, with the organization retaining 20% of all successful ransom payments while affiliates received the remaining 80%.

Analysis of the cryptocurrency transactions revealed that LockBit generated approximately $2.37 million USD in confirmed earnings between December 2024 and April 2025, with the organization itself receiving roughly $456,000 USD as their share.

Notably, a single victim payment of $2 million USD from affiliate Swan’s operations contributed nearly $390,000 USD to LockBit’s total earnings.

The most successful affiliate, Christopher, demonstrated a 57% success rate across 14 victim organizations, primarily targeting Asian markets with initial ransom demands ranging from $25,000 to $120,000 USD.

Christopher’s negotiation strategy involved offering substantial discounts of 16-67%, suggesting a calculated approach that balanced aggressive initial demands with flexible final settlements.

In contrast, Swan, despite having the second-highest victim count of 12 organizations, achieved only a 17% success rate but commanded the largest single ransom payment in the dataset.

The leaked database also exposed LockBit’s ambitious claims regarding their auto-registration revenue stream, with operators boasting monthly earnings of $100,000 USD from $777 registration fees alone.

However, blockchain analysis of the associated Bitcoin wallets revealed only 12 transactions out of 2,338 generated addresses, indicating actual earnings of approximately $9,324 USD over the analyzed period—a stark contrast to their public assertions and highlighting the inherent unreliability of cybercriminal financial claims.

 ->