LockBit’s Dark Web Domains Hacked, Internal Data and Wallets Leaked

LockBit’s dark web domains were hacked, exposing internal data, affiliate tools, and over 60,000 Bitcoin wallets in a major blow to the ransomware group.

The ransomware group LockBit has suffered a serious blow after its dark web domain and infrastructure was hijacked and defaced by an unknown attacker. The breach, which surfaced on May 7, disrupted several of the group’s hidden service panels and included a public taunt: “Don’t do crime. CRIME IS BAD xoxo from Prague.”

This breach is the latest in a series of setbacks for LockBit, once considered one of the most prolific ransomware-as-a-service (RaaS) operations. It comes less than 15 months after international law enforcement agencies, including the FBI and the UK’s National Crime Agency, dismantled parts of the group’s infrastructure and arrested several members in early 2024.

What makes this incident different is that the attacker has not just taken down pages, they’ve leaked internal data that offers a rare look inside the operation. The published dump includes affiliate communications, internal tooling details and a list of over 60,000 Bitcoin wallet addresses allegedly tied to LockBit’s activity.

Security analysts believe the breach may have been carried out by a rival cybercrime group or a hacktivist with insider knowledge. The level of access required to deface multiple dark web panels and extract sensitive data points to more than just a hack for fame.

In response, LockBit affiliates and supporters have scrambled to relocate operations, but the damage is already notable. The leak exposes operational workflows, revenue models and technical weak spots.

In recent months, LockBit has tried to regain traction by teasing updates to its malware and promising fresh infrastructure after the 2024 enforcement actions. This latest incident not only sets those efforts back but also exposes vulnerabilities that could be used against them again.

In April 2025, the Everest ransomware group was hit with a nearly identical defacement. An unknown attacker left the same message on their dark web site. The incident was first reported by Tammy H, a dark web investigator at Flare.io, a Canadian cybercrime threat intelligence firm.

Nevertheless, for law enforcement agencies and cybersecurity researchers, the latest LockBit data leak may be a goldmine. It can aid in victim identification, wallet tracking, and even the possible unmasking of key affiliates. For LockBit, this is just another low point in a declining run that once saw the group behind high-profile attacks on corporations, hospitals and government systems.