A group of hackers, reportedly from Prague, has breached the dark web of the notorious cybercriminal group that proposes ransomware services. Nearly 60,000 Bitcoin (BTC) linked to the ransomware infrastructure were stolen along with sensitive data. The hacked details significantly included BTC addresses, internal chats, victim profiles, tokens, encryption keys, and credentials.
The hackers also wrote a message for the group that read: “Don’t do crime CRIME IS BAD xoxo from Prague.” Reportedly, the hack was first spotted by the threat actor, Rey, who shared a screenshot of the message and wrote: “So LockBit just got pwned …”. Another X post by threat actor Rey showed that the ransomware group was compromised on or before April 29, and their website was defaced on May 7.
Although nearly 60,000 Bitcoin wallets were hacked, private keys were not affected. A conversation between Rey and LockBit operator by the name LockBitSupp confirmed the compromise, and no private keys were breached.
Importantly, the leaked MYSQL database dump, shared publicly online, includes crypto-related data that could help blockchain analysts in tracking LockBit’s illegal financial activities.
Cyber Threat Intelligence Academy (CTI) found out that the message written on the .onion page following the hack resembles the one used during the Everest ransomware group hack that happened in April 2025. Everest ransomware is another competitor in the cybercriminal world, like LockBit.
The academy team also proved that the hacked .onion address likely belongs to the LockBit gang, as harmful HTTP requests sent to this address had been observed earlier in LockBit’s malware.
A .onion is a special type of website that is reachable through the Tor browser. It is a dark web special-use top-level domain name that enables anonymous communication.
