The notorious LockBit ransomware collective, a long-standing operator in the ransomware-as-a-service (RaaS) space, has itself become the target of a major data breach.
This cyber incident has exposed a wealth of internal data, including payload development records, affiliate-victim negotiation transcripts, and details of the group’s operational infrastructure.
The breach, which first surfaced through a Tor-based ‘onion’ site linked to LockBit, grants an unprecedented technical window into the group’s methods and the broader commercial mechanics of the ransomware underground.
Anatomy of the Breach
The LockBit data leak surfaced in May 2025 but contains materials dating back to 2024.
Among the trove: a database mapping nearly 60,000 unique Bitcoin wallet addresses to affiliate IDs and apparent victim identifiers, detailed logs of every ransomware payload generated by affiliates, extensive payload configuration data, and over 4,400 chat transcripts chronicling the evolution of ransom negotiations.
Affiliates use LockBit’s builder panel to create highly customizable ransomware payloads, tweaking parameters such as file types to encrypt, specific ESXi servers to avoid, and features like “quiet_mode” for stealthy execution.
The builder saves each configuration in a structured JSON format, providing fields for internal labeling, affiliate IDs, public and private keys, ransom demand declarations (“revenue”), and operational parameters such as kill-switches and max file sizes.
According to Ontinue Report, this level of modularity underlines LockBit’s focus on operational flexibility tailored to affiliate needs.
Payload Creation
The leak’s build records clearly map which affiliates generated which payloads and their intended ransom demands. While some claims such as “999kk” ($99.9M) or “303kkk” ($303M) appear exaggerated or serve as placeholders, the dataset provides a credible glimpse into the economics of LockBit’s affiliate-driven business.
The top affiliates, by their self-declared demands, projected hundreds of millions in potential revenue, although there is limited evidence of real ransom payments.
Notably, only 7 out of 246 victims were marked as having “paid commission,” and none showed a confirmed decryption event in the leaked data.
The chat logs bring to light the psychological tactics LockBit affiliates deploy.
Negotiations oscillate between cold, businesslike demands and emotional manipulation ranging from time-based threats and guilt-tripping victims (“Your clients will suffer”) to shaming and aggressive refusals to negotiate.
Some affiliates follow scripts, including recruitment pitches offering victims the chance to “start your pentester billionaire journey in 5 minutes,” while asserting LockBit’s reputation as an “oldest extortion gang on the planet” as a guarantee of ‘professional’ conduct.
The group’s messaging warns victims against contacting law enforcement or revealing the attack, offers ‘advice’ on safe cryptocurrency purchases, and even promotes its own “pentesting” as a legitimate service. This blending of coercion, criminal rationalization, and outright advertisement underscores LockBit’s maturity as a cybercrime enterprise.
LockBit’s reliance on highly resilient Tor-based infrastructure is evident in both their public leak sites and negotiation portals.
The leak also identified numerous .onion domains, most of which were operational at the time of the breach, further showcasing the group’s commitment to strong operational security and infrastructure redundancy.
A cross-reference of affiliate usernames with those leaked by law enforcement during “Operation Cronos” found substantial overlap, demonstrating continuity of threat actor identities despite previous takedowns.
High-volume users such as “Ashlin,” “Rich,” and “Melville” were identified as prolific payload generators, confirming persistent activity among core LockBit affiliates.
The LockBit data breach represents a landmark in the visibility of ransomware group operations.
The leak not only demonstrates the technical sophistication underpinning LockBit’s RaaS offering, but also exposes the structured, business-like approach that defines their affiliate model.
While some ransom demands were recorded as paid, data validation issues prevent definitive payment attribution.
Still, the breach offers security teams and law enforcement valuable intelligence on group infrastructure, affiliate behaviors, and the technical controls used to deliver highly tailored ransomware campaigns.
Indicators of Compromise (IOCs)
| Type | Value/URL | Description |
|---|---|---|
| Onion Leak Portal | http://e4hwk3w4ztqfkyo6l36ss3tfj4bw2jw4ytkmomkx2ugwjgrs4w3lriid.onion | LockBit-affiliated leak site |
| Ransom Chat Portal | http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion | Victim-affiliate negotiation portal |
| Payment Instruction | http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/buybitcoin | Payment address instruction |
| General Leak Mirror | http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ | Mirror leak domain |
| Terms/Conditions | http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/conditions | LockBit terms and rules |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
