Information that can be highly valuable to law enforcement and the cybersecurity community was leaked after someone hacked into an administration panel used by the LockBit ransomware operation.

The hack came to light on May 7, when a domain associated with a LockBit administration panel was defaced to display a message that read “Don’t do crime, crime is bad xoxo from Prague”. The defaced page also included a link to an archive file containing information taken from the compromised server.

The leaked data includes private messages between LockBit affiliates and victims, Bitcoin wallet addresses, affiliate accounts, details about attacks, and information on malware and infrastructure.

Several cybersecurity experts have analyzed the leaked data. Christiaan Beek, senior director of threat analytics at Rapid7, noted that the Bitcoin addresses could be useful to law enforcement.

In addition, Luke Donovan, head of threat intelligence at Searchlight Cyber, explained how the leaked data could be valuable for the cybersecurity community. 

The expert said the user data included in the leak likely pertains to affiliates or administrators of the ransomware operation. Searchlight Cyber has identified 76 records, including usernames and passwords, in the published data. 

“This user data will prove to be valuable for cybersecurity researchers, as it allows us to learn more about the affiliates of LockBit and how they operate. For example, within those 76 users, 22 users have TOX IDs associated with them, which is a messaging service popular in the hacking community,” Donovan said.

He added, “These TOX IDs have allowed us to associate three of the leaked users with aliases on hacking forums, who use the same TOX IDs. By analysing their conversations on hacking forums we’ll be able to learn more about the group, for example the types of access they buy to hack organizations.”