In a strange reversal, the LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced last week. The defacement message matches the one used in a recent breach of Everest ransomware’s dark web site, suggesting a possible link.
First spotted on the 7th of May 2025, the defacement was then reported on by BleepingComputer. Based on their analysis, the affiliate panels had been replaced with a message linking to a MySQL database dump. The data dump contains twenty tables, including bitcoin addresses, malware builds, and negotiation chats with previous victims.
This isn’t the first time that LockBit has run into issues recently. In 2024, a law enforcement operation called Operation Cronos took down LockBit’s infrastructure, including 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, 1,000 decryption keys, and the affiliate panel.
While the ransomware gang claims no private keys were stolen or lost and that they remain in business, this latest breach layered on top of the damage caused during Operation Cronos may prove fatal to their reputation at least in the short term.
Ransomware continues to be a threat
Despite the hopeful news stemming from LockBit’s current embarrassment, cyberattacks and online threats remain. Other actors will inevitably muscle in on LockBit’s former slice of the market even if the gang finally goes under.
Ransomware-as-a-service has enabled a more flexible criminal enterprise, allowing developers to concentrate on creating and improving ransomware and its components while other individuals or gangs acting as access brokers and affiliates to focus on payload deployment and extortion.
In addition to this there is a constantly increasing trend towards malicious use of LLMs. These are primarily being used in social engineering tactics, conducting reconnaissance, defense evasion, and crafting customized phishing lures. This allows criminal enterprises to scale up in unprecedented ways, with LLMs likely contributing to the overall % increase in phishing attacks reported in early 2024.
These factors contribute to a greater success rate in attacks purely through scale, with Illinois-based Andy Frain serving as the newest reminder that online threats continue to be preset and organizations need to adapt quickly or risk the consequences.
Your Data In Your Hands – With TECH-ARROW
