LockBit Hacked: BTC Addresses and Ransom Chats Go Public

Crypto News Exploits

LockBit Hacked: 60,000 Bitcoin Addresses and 4,400 Ransom Chats Go Public

Written by Aaron S.,

Editor-In-Chief

Last Updated: May 08, 2025

Key Takeaways

Hackers leaked LockBit’s MySQL database and exposed nearly 60,000 Bitcoin addresses linked to ransom activities;
The database included ransomware builds, victim negotiations, and clues for tracking LockBit’s past crypto transactions;
Similarities to a past Everest ransomware hack suggest the same attacker or group may be responsible for both breaches.

Stop overpaying - start transferring money with Ogvio. Join the waitlist & grab early Rewards NOW! 🎁

LockBit Hacked: 60,000 Bitcoin Addresses and 4,400 Ransom Chats Go Public

BITDEGREE IN YOUR SOCIAL FEED

Hackers managed to break into the LockBit ransomware group's dark web affiliate site and publicly release a copy of its internal MySQL database, according to Bleeping Computer.

The files contained nearly 60,000 Bitcoin BTC $90,825.60 addresses, which experts believe are linked to the group’s ransom payments.

While no private keys were part of the leak, the exposed information could help blockchain investigators follow the trail of LockBit’s past transactions.

How to Buy Crypto SAFELY With a Credit Card (Animated)

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

The leaked database contained twenty different tables. One, named "builds", listed ransomware files created by LockBit’s partners, along with possible intended targets. Another, labeled "chats", included more than 4,400 negotiation messages between the group and its victims.

These records showed conversations about ransom amounts, payment terms, and proof that stolen data would be deleted after a deal.

After the leak, an X user shared a conversation with an individual claiming to represent LockBit. The person confirmed that the group’s affiliate panel had been hacked but said that no private keys or critical data had been taken.

Analysts from BleepingComputer also pointed out that the message shown on LockBit’s hacked site was almost identical to one seen during a previous attack on the Everest ransomware group. This raised the idea that the same hacker, or a connected group, could be behind both incidents.

Meanwhile, Google Threat Intelligence reported a new malware called LOSTKEYS used by the hacking group COLDRIVER. How does the malware do? Read the full story.