LockBit

On May 7, 2025, an anonymous threat actor known as 'xoxo from Prague' successfully infiltrated LockBit’s administrative panel, replacing their Tor website with a defacement message. This breach resulted in the public release of LockBit’s SQL database dump, containing sensitive operational data spanning from December 18, 2024, to April 29, 2025. The leaked data included critical information about LockBit’s affiliate network, victim organizations, negotiation transcripts, cryptocurrency wallet addresses, and ransomware build configurations. This breach is one of the most significant intelligence breaches in ransomware history, offering an unprecedented glimpse into the inner workings of a major Ransomware-as-a-Service (RaaS) operation.

Source: https://cybersecuritynews.com/lockbits-admin-panel-leak/

TPRM report: https://scoringcyber.rankiteo.com/company/latest-cyber-security-news

"id": "lat601061425",
"linkid": "latest-cyber-security-news",
"type": "Breach",
"date": "6/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"

{'affected_entities': [{'customers_affected': '103 confirmed victim '
                                              'organizations',
                        'industry': 'Cybercrime',
                        'name': 'LockBit',
                        'type': 'Ransomware-as-a-Service (RaaS) Operation'}],
 'attack_vector': 'Admin Panel Infiltration',
 'data_breach': {'data_exfiltration': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Operational data',
                                              'Affiliate network information',
                                              'Victim organizations data',
                                              'Negotiation transcripts',
                                              'Cryptocurrency wallet addresses',
                                              'Ransomware build '
                                              'configurations']},
 'date_detected': '2025-05-07',
 'description': "An anonymous threat actor known as 'xoxo from Prague' "
                'successfully infiltrated LockBit’s administrative panel, '
                'replacing their Tor website with a message and compromising '
                'their SQL database dump containing sensitive operational '
                'data.',
 'impact': {'brand_reputation_impact': 'Significant intelligence breach',
            'data_compromised': ['Operational data',
                                 'Affiliate network information',
                                 'Victim organizations data',
                                 'Negotiation transcripts',
                                 'Cryptocurrency wallet addresses',
                                 'Ransomware build configurations'],
            'operational_impact': 'Public release of sensitive operational '
                                  'data'},
 'initial_access_broker': {'entry_point': 'Admin Panel Infiltration'},
 'ransomware': {'data_encryption': 'Yes',
                'data_exfiltration': 'Yes',
                'ransom_paid': '$2.37 million USD',
                'ransomware_strain': 'LockBit Black 4.0, LockBit Green 4.0'},
 'references': [{'source': 'Trellix'}],
 'threat_actor': 'xoxo from Prague',
 'title': 'LockBit RaaS Admin Panel Hacked and SQL DB Leaked',
 'type': 'Data Breach, Ransomware'}