A group claiming to be from Prague has seemingly hijacked LockBit’s dark web panel and leaked sensitive data, including its internal systems and Bitcoin wallets.

LockBit, one of the most notorious ransomware gangs, appears to have been hacked by someone claiming to be from Prague, who leaked internal data and left a message mocking the group.

Analysts at blockchain security firm SlowMist revealed in a Thursday blog post that the leaked data package included over 60,000 Bitcoin (BTC) addresses, about 75 user credentials, and ransom negotiation logs. One of the records even pointed to a ransom possibly being paid from a Coinbase account.

The attackers also appear to have gained access to a lightweight PHP-based management platform used by LockBit.

“[…] we speculate that the hacker from ‘Prague’ likely exploited a PHP 0-day or 1-day vulnerability to compromise the web backend and management console.”

SlowMist

LockBit later responded in Russian on its official channel. When asked whether the group was “pwned,” LockBit claimed that “only the lightweight panel with an authorization code was breached,” reassuring that “no decryptors were stolen, and no company data was affected.”

When asked if the hack would damage its reputation, LockBit admitted that it “affects” its reputation, but reiterated that the source code “was not stolen” and that the group is “already working on recovery.” Ironically, LockBit is now offering a bounty for information on the hacker, despite the U.S. government having previously offered up to $15 million in rewards for information on LockBit members.