On the night between May 7 and 8, 2025, the infrastructure of the LockBit ransomware group was compromised again — the final act of the attack was a public defacement of their platform.
The stolen database, containing confidential information — including logs of negotiations with victims — was published directly on the group’s official website before being quickly removed.
During our internal analysis, we processed 8,654 records of negotiation messages between ransomware affiliates and victims. The database contained over 59,000 Bitcoin addresses associated with ransom demands, as well as details about users, campaign IDs, communication history, and other sensitive material.
Context of the Leak
According to a post by a well-known member of the LockBit channels, the hacked instance was a “light panel” with automatic registration, open to new affiliates. No decryptors or company data were compromised, but the full panel and blog are still functioning.
LockBit itself attributes the breach to an actor nicknamed “XoXo from Prague,” offering a reward for concrete information. It is unclear whether this is an insider, an opportunist, or a rival group.
What we discovered
Volume and content of negotiations
- Total messages: 8,654
Number of unique conversations: 4,442
Actor involvement (client_id ↔ adv_id): almost always unidirectional, but in 15 cases payment was confirmed.
Estimated success rate: ~7.1%
Total amount collected: ~$615,000
Distribuzione dei pagamenti:
| Range | Number of payments |
|---|---|
| < 10.000 USD | 5 |
| 10.000–100.000 USD | 6 |
| > 100.000 USD | 2 |
Behavioral models
During the semantic analysis of the messages, four main categories of rhetoric used by ransomware actors emerged:
- Direct threat: “If you don’t pay, your network will end up on all the hacking forums.”
- Emotional manipulation: “We don’t want to ruin you, but you have to understand that this is the only way.”
- Apparent professionalism: “Our policy is clear. We offer decryptors and support.”
- Calculated patience: In many cases, actors wait weeks for responses, leaving openings.
Psychological profile of the actors:
- Often impersonal, but well coordinated.
- Main language: Russian, but technical English is also present.
- Frequent use of predefined formulas and recurring phrases, suggesting a semi-automated approach.
- Some show narcissistic and domineering traits (“I decide how much you are worth”).
- In specific cases, clear signs of amateurism: impulsive responses, disorganized requests, grammatical errors.
- Possible presence of new or non-professional affiliates.
Technical evidence
- The tables contained standard MySQL structures.
- The “INSERT INTO socket_messages” scripts showed serialized communications in JSON and a possible use of a Flask + WebSocket interface.
- Some entries contained clear IDs associated with campaigns that could be traced through blockchain analysis (BTC addresses).
- Several chats show a similar syntax: “type”: “adv”, “action”: “send”, ‘msg’: “…” structured dialog interface.
Conclusion
The leak of paneldb_dump.sql provides an unprecedented insight into the communication mechanisms of ransomware-as-a-service. LockBit’s public response, acknowledging the incident and launching a hunt for the perpetrator, suggests a loss of central control by the core group.
This is a clear sign that even cybercriminal organizations, however structured, are not immune to internal divisions and operational vulnerabilities.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
