On May 7, 2025, a significant breach occurred within the notorious LockBit Ransomware as a Service (RaaS) ecosystem. An anonymous actor successfully hacked the LockBit admin panel, replacing their TOR website with a bold message: “Don’t do crime CRIME IS BAD xoxo from Prague.” Alongside this defacement, the hacker shared a SQL dump of the admin panel database in an archived file named ‘paneldb_dump.zip.’
This incident follows a similar event that took place just a month earlier, where the Everest RaaS TOR site was also defaced with a comparable message, indicating a potential trend in targeting ransomware operations.
The individual behind the alias 'xoxo from Prague' remains shrouded in mystery, but their apparent mission is to disrupt and apprehend malicious ransomware threat actors. The defacement of a major ransomware organization's website, particularly the compromise of its administrative panel, is a rare occurrence in the cybersecurity landscape. The leaked SQL database is particularly noteworthy, as it provides critical insights into the operational methods of LockBit affiliates and their negotiation tactics for securing ransom payments from victims.
Investigations conducted by the Trellix Advanced Research Center have confirmed, with high confidence, that the leaked database originates from the LockBit affiliates' admin panel. This panel is instrumental in generating ransomware builds for various operating systems, including Linux, Windows, and ESXi, and it also facilitates access to victim negotiation chats.
The leaked SQL database dump contains a wealth of information, covering the period from December 18, 2024, to April 29, 2025. It includes details on LockBit advertisements (ransomware affiliates), victim organizations, chat logs, cryptocurrency wallets, and ransomware build configurations.
As the cybersecurity community continues to analyze this breach, the implications for ransomware operations and the potential for law enforcement to leverage this information against cybercriminals are significant. The actions of 'xoxo from Prague' may mark a turning point in the ongoing battle against ransomware threats.