NSO Group must pay WhatsApp $168 million for attacking 1,400 users with its Pegasus spyware. The ruling confirms a violation of U.S. federal law, a significant victory in the fight against illegal surveillance.
60 
Known as one of the “most dangerous” cybercrime groups in the world, LockBit suffered a major setback when their darknet infrastructure was compromised. Unknown hackers took over the gang’s admin panel, replacing the interface with the cheeky message “Don’t do crime CRIME IS BAD xoxo from Prague” and adding a link to an archive with data from a MySQL database. The archive, titled “paneldb\_dump.zip,” contained critical information about LockBit’s activities, including lists of Bitcoin addresses, technical parameters of the cryptographers, negotiations with victims, and credentials of panel users.
LockBit, which specializes in large-scale ransomware attacks, found itself at the center of a scandal after its darknet infrastructure was compromised by unknown attackers. The hackers not only broke into the admin panel, but also replaced the interface with the ironic “Don’t do crime CRIME IS BAD xoxo from Prague,” emphasizing the absurdity of the gang’s activities.
The archive posted by the attackers contains a MySQL database consisting of 20 tables, each of which reveals the internal structure and activities of LockBit:
* btc\_addresses: Contains 59,975 unique Bitcoin addresses associated with extortion operations. This list allows you to identify the gang’s financial flow channels.
* builds: Information about the encryptors created by affiliates. The table lists the public keys, as well as the names of the attacked companies.
* builds\_configurations: Technical parameters of the encryptors, including instructions for bypassing ESXi servers and files to encrypt.
* chats: Contains 4,442 messages exchanged between LockBit and victims from December 19, 2024 to April 29, 2025. This dataset allows you to analyze the gang’s negotiation tactics, ransom amounts, and pressure methods.
* users: A table of users with 75 entries, including administrators and affiliates. The passwords were stored in plain text, which became the subject of ridicule. Among the passwords are “Weekendlover69”, “MovingBricks69420”, “Lockbitproud231”, indicating a low level of security even in a cybercriminal organization.
While the exact mechanism of the attack remains unclear, experts suggest that the hackers exploited a vulnerability in a server running an outdated version of PHP 8.1.2. This version is vulnerable to a critical vulnerability, CVE-2024-4577, which allows arbitrary code to be executed on the server. The defacement messages in the LockBit admin panels are similar to the previous attack on darknet resources by the Everest group, which may indicate a similar attack method or even the same perpetrators.
LockBit is an international hacking group that specializes in ransomware attacks. They are known for their ability to quickly encrypt corporate systems and demand ransoms for their decryption. In 2024, LockBit was already the victim of a large-scale special operation, Operation Cronos, during which 34 servers used to store stolen data and crypto assets were confiscated.
The previous attack on the infrastructure significantly undermined the gang’s reputation, but they were able to recover. This new hack could cause a loss of trust among affiliates who previously provided the gang with significant profits. Leaked conversations with victims could also be a valuable source of information for law enforcement.
The LockBit hack not only undermines the gang’s reputation, but also proves that “even the most dangerous criminal groups“ can become victims of their own negligence. The use of outdated and vulnerable software, as well as storing passwords in the open, raises doubts about the professionalism of the hackers. If the data leak leads to the identification of affiliates, it could have serious consequences for the entire LockBit ecosystem.
60 
66 
66