Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto

By Jambul Tologonov · June 12, 2025

Introduction

On May 7, 2025, the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘Don’t do crime CRIME IS BAD xoxo from Prague’ and shared a SQL dump of their admin panel database in an archived file ‘paneldb_dump.zip’:

A month prior to that, a similar message was observed on the defaced Everest Ransomware as a Service (RaaS) TOR site:

There is not much information available regarding the individual identified as 'xoxo from Prague' whose objective seems to be the apprehension of malicious ransomware threat actors. It is uncommon for a major ransomware organization's website to be defaced; more so for its administrative panel to be compromised. This leaked SQL database dump is significant as it offers insight into the operational methods of LockBit affiliates and the negotiation tactics they employ to secure ransom payments from their victims.

Trellix Advanced Research Center’s investigations into the leaked SQL database confirmed with high confidence that the database originates from LockBit's affiliates admin panel. This panel allows the generation of ransomware builds for victims, utilizing LockBit Black 4.0 and LockBit Green 4.0, compatible with Linux, Windows and ESXi systems, and provides access to victim negotiation chats. 

The leaked SQL database dump encompasses data from December 18, 2024 to April 29, 2025, including details pertaining to LockBit adverts (aka ransomware affiliates), victim organizations, chat logs, cryptocurrency wallets and ransomware build configurations. 

Here is an overview of the database schema:

The absence of table constraints in the SQL dump initially raised concerns regarding the authenticity and integrity of the provided data, however, further analysis of the leak data demonstrated substantial intelligence and insights on LockBit’s adverts, victim organizations, negotiation tactics and earnings. The details of these findings are addressed in this blog.

Return of LockBit RaaS

Since the third phase of Operation Cronos on October 1, 2024, the Trellix Advanced Research Center has noted a decline in the operational tempo of the LockBit RaaS gang. This period of reduced activity persisted until December 19, 2024, at which time the group announced the release of their latest ransomware variant, namely LockBit 4.0:

From the leaked admin panel logs, we discovered that around the same time LockBit set up their new affiliate panel they refer to as a ‘Lite’ panel. This panel features auto-registration functionality where LockBit decided to open up their admin panel to public and invite anyone who wants to work on their ‘targets’ (aka potential ransomware victim organizations) to join them for a small registration fee of $777 USD:

In early April 2025, Trellix observed heightened activity from the LockBit threat actor on underground forums, wherein they promoted a forthcoming update of their ransomware, LockBit 5.0:

Translation of Figure 6:

Translation of Figure 7:

After the LockBit’s admin panel leak, LockBit informed that they were busy with ongoing efforts to develop LockBit 5.0. However, the influx of RansomHUB RaaS affiliates seeking alternative operations due to disruptions caused by FBI intervention necessitated an expedited operational reactivation before the finalization of update LockBit 5.0. The LockBit perpetrator advised that this decision to activate their operations without finishing the LockBit 5.0 was beneficial in identifying LockBit’s infrastructural weaknesses and reinforcing their operational strengths:

Translation of Figure 8:

On underground forums, LockBit attempted to minimize the significance of their admin panel leak, stating that an investigation into the incident's cause is underway. They affirmed that decryption keys and stolen data remained secure, and both their full admin panel and blog remain operational. Furthermore, LockBit advised that all ransomware operations generating revenues exceeding $10 million USD are inherently vulnerable to hacking attempts:

Translation of Figure 9:

LockBit asserted their invincibility and the continuation of their RaaS operations. They have subsequently announced a monetary reward for verifiable information related to the hacker known as ‘xoxo from Prague’:

Translation of Figure 10:

Trellix maintains continuous monitoring of the development surrounding LockBit's prospective version 5.0. To this point, no active PR activities pertaining to the forthcoming LockBit release 5.0 have yet been observed.

Analysis of the LockBit leaked data

The following sections will present significant findings derived from LockBit's leaked admin panel data. This analysis includes insights into attacks targeting Russian organizations, victimology patterns, affiliate details, negotiation strategies with targeted entities and the overall earnings of the LockBit ransomware operation.

Attacks on Russian entities

It appears that two LockBit adverts king457533579 and amleto encrypted two Russian government entities, namely the Department of Bridge Constructions of Moscow (gormost.mos.ru) and Municipality of Chebarcul (chebarcul.ru). In both of the cases, LockBit apologized and provided the decryptors for free saying ‘these are tricks and doings of our competitors’ or that the related advert’s account was hacked and their password changed, potentially indicating FBI’s operation to undermine LockBit’s reputation and set them up.

It seems that in the case of gormost.mos.ru ransomware attack performed by king457533579, the victim organization was not able to decrypt the files and the  LockBit operator himself, who took over the negotiation, advised ‘people who set me up changed the key in the locker using hex editor so that the file can't be decrypted and I could not help you out’:

In the case of chebarcul.ru, the victim was informed they would get the decryption for free, however the provided decryptor did not work and the municipality administration became  nervous, saying to amleto ‘help us to recover, otherwise we will contact (Russian) Federal Authorities’:

This is not the first time LockBit ransomware has been used to attack Russian entities. In January 2024 when LockBit imposters attacked a Russian security company, AN-Security, LockBit stated that their competitors use a leaked builder to impersonate LockBit and inflict reputational damage to their ransomware program.

Victimology

Out of 156 unique clients mentioned in the leaked database, we identified 103 victim organizations who engaged in the negotiation with LockBit affiliates. Entities identified as potential victims where negotiation records were absent and only build generations were evident were excluded from the analysis. Similarly, test cases involving affiliate/developer panel assessments as well as instances of third-party organization experimentation, such as vx-underground assessing LockBit admin panel and generating LockBit 4.0 ransomware builds, were also excluded. 

Futhermore, out of 103 victim organizations, 12 were victims whose company names appeared on LockBit’s leak blog and one appeared on RansomHUB’s data leak site between the period of January 14, 2025 and May 9, 2025 (even two days after the LockBit’s admin panel leak), authenticating of the dataset analyzed.

Based on the given ‘company_website’ and ‘comment’ fields in the ‘builds_configurations’ table, we attempted to identify the affected victim organizations and where possible to enrich the dataset with the victim organization’s sector/industry as well as their geographic location. The subsequent analysis will focus on the five foremost victim sectors and countries targeted by LockBit ransomware.

Our analysis of LockBit's geographic targeting from December 2024 to April 2025 reveals China as the most heavily targeted country, with multiple affiliates including Iofikdis, PiotrBond and JamesCraig conducting numerous attacks on Chinese organizations. The concentration of attacks in China suggests a significant focus on this market, possibly due to its large industrial base and manufacturing sector. Unlike BlackBasta and Conti RaaS groups that occasionally probe Chinese targets without encrypting them, LockBit appears willing to operate within Chinese borders and disregard potential political consequences, marking an interesting divergence in their approach.

From the leak data, the United States emerges as the second most targeted nation, with diverse affiliates such as BaleyBeach, umarbishop47 and btcdrugdealer leading these operations. Notably, the attacks in the US appear more distributed across different affiliates, suggesting a more opportunistic approach rather than specialized targeting.

Taiwan stands out as the third most targeted country, with Christopher showing a particularly focused campaign with multiple consecutive attacks. This concentration by a single affiliate might indicate specialized knowledge of the region's networks or specific vulnerabilities being exploited.

Brazil and Turkey round out the top five target countries, with affiliates like Swan, Christopher and JamesCraig conducting operations in these regions. Interestingly, Swan demonstrates a broad geographic reach, targeting multiple European countries including Austria, Czech Republic and Switzerland, suggesting sophisticated capabilities in navigating different regulatory environments.

As can be seen in Figure 14, the manufacturing sector is the most frequently targeted sector, with affiliates like PiotrBond, Iofikdis and Swan showing particular interest in this industry. Manufacturing victims appear consistently throughout the leaked dataset, suggesting the sector's vulnerability or potentially higher likelihood of ransom payment.

Consumer Services emerges as the second most targeted sector, with multiple affiliates including Swan, Christopher and albertsrun conducting repeated ransomware attacks. The sector's prominence might be attributed to its broad attack surface and potentially valuable customer data to use in their data extortion campaigns. Software/IT represents another significant target, with affiliates like Iofikdis, ZachariasAcosta and amleto specifically focusing on tech companies.

Finance sector attacks, primarily conducted by BaleyBeach, Christopher and jhon0722, demonstrate LockBit's continued interest in high-value targets with critical time sensitivities. Government institutions conclude the top five most affected sectors, with umarbishop47, Beast and KoreyAllen leading these particularly bold attacks, showing LockBit's willingness to target government agencies despite increased scrutiny.

Prominent affiliates and connections to other RaaS gangs

An examination of the leaked database revealed that the ‘users’ table contained details for 75 affiliates, including cleartext passwords and their classifications as ‘newbies’, ‘pentesters’, ‘scammers’ or ‘verified’ adverts. 25 affiliates possessed TOX IDs, and five of them specifically Brown, btcdrugdealer, Christopher, JamesCraig and Swan were tagged as ‘verified.’ Through the analysis of ‘system invalid requests’ and ‘socket messages’ tables in the leaked SQL DB, an additional 46 potential login details and five TOX IDs of adverts were extracted (refer to Appendix A). Trellix attempted to enrich the total of 121 affiliates' details by correlating them with underground intelligence data and our findings and possible connections can be found under the ‘Extra info’ column of the table in Appendix A.

Most successful adverts

The analysis of LockBit affiliates reveals interesting patterns in ransomware operations. The most active affiliates (Christopher, Swan and JamesCraig) account for 37 victim organizations combined, representing a significant portion of the victim dataset. Success rates vary dramatically, from 9% to 100%, but notably, higher victim counts don't necessarily translate to better success rates. The most successful operators maintain a success rate between 17-50% when dealing with multiple victims. Initial ransom demands range from a few thousand to millions of dollars, with most affiliates offering substantial discounts (10-80%) during negotiations.

In the below table, we’ve summarized the most successful affiliates focusing on how much initial ransom they demand from the victim organization (typically 10% of their annual revenue), the discount the adverts offer during the negotiation as well as their success rate of getting the final ransom payment. 

NOTE: Some of the ransom amounts were given in BTC and not in USD. We analysed the historical BTC to USD conversion rates for the period of December 18, 2024 to April 29, 2025 and took the average rate of 1 BTC equal to $92,000 USD. Victims with no negotiation chats and/or ransom demands were discarded from the below analysis.

Here are profiles of the two LockBit’s most active and successful affiliates:

Christopher (Most Successful High-Volume Operator):

• Geographic Focus: Strong presence in Asia (primarily Taiwan), with strategic operations in Greece, UAE and Philippines
• Sector Diversity: Manufacturing, Finance, Consumer Services and Hospitality
• Target Profile: Consistently targets $10 million USD revenue companies
• Ransom Strategy: Initial demands between $25,000-120,000 USD (relatively modest compared to company size)
• Negotiation Pattern: Aggressive discounting (16-67%), suggesting flexible negotiation tactics
• Success Rate: 57% - highest among major operators
• Key Insight: Success likely due to balanced ransom demands and willingness to negotiate, particularly effective in Asian markets

Swan (High-Volume, Lower Success):

• Geographic Focus: Diverse European presence (Switzerland, Austria, Germany) with some Middle Eastern operations
• Sector Diversity: Wide range - Software/IT, Government, Manufacturing, Consumer Services
• Target Profile: Broad range ($5-45 million USD revenue), including some government entities
• Ransom Strategy: Ambitious initial demands ($20,000-2 million USD), highest among all operators
• Negotiation Pattern: Wide discount range (10-80%), suggesting case-by-case approach
• Success Rate: 17% - moderate success despite high demands. It is noteworthy that Swan has the highest amount of ransom paid by a single company, $2 million USD (21.1 BTC) 
• Key Insight: Lower success rate might be due to ambitious initial demands, but achieves high-value payments when successful

Above observations demonstrate successful LockBit ransomware affiliates typically align ransom amounts with the target company's size and focus on specific geographic regions or industry sectors, rather than broadly targeting diverse entities. This implies a calculated method for victim targeting to optimize the likelihood of ransom payment.

RansomHUB LockBit affiliates

Following the discontinuation of the RansomHUB RaaSprogram in late March 2025, leaked data suggest that certain affiliates transitioned to the LockBit RaaS platform. In fact LockBit stated they reactivated operations primarily due to persistent inquiries from the affiliates. One of those affiliates is BaleyBeach who appears to have taken the RansomHUB RaaS victim to LockBit’s platform. As per the leaked negotiation chats, BaleyBeach, who had negotiation with a victim at the beginning of April 2025, advised them that ‘RansomHUB closed and they moved to LockBit ransomware’. Furthermore, BaleyBeach informed the victim organization that ‘All you need to know is that we are the only owners of your data. Technically you don't pay LockBit, you pay independent researchers’:

Another affiliate of RansomHUB is GuillaumeAtkinson who attempted to negotiate with a Swedish Sport company SportAdmin at sportadmin.se in mid-January 2025 when RansomHUB RaaS was still active. Although there are no chats available in the leaked LockBit data with the affected company, at the beginning of February 2025 the victim company was posted on the leak site of RansomHUB RaaS proving that GuillaumeAtkinson potentially collaborated with both LockBit and RansomHUB at the same time:

HellCat LockBit affiliates

It appears that the affiliate KoreyAllen works with both HellCat and LockBit ransomware gangs. On March 20, 2025 while chatting with a victim company, KoreyAllen wrote to them ‘LockBit & HellCat Encrypted your network, You 39 Day to negotiate’. HellCat ransomware first appeared in November 2024 and since then listed 20 victim organizations on their TOR leak site, including a large French energy company and a major US telecom provider.

It is probable that KoreyAllen is connected to the moniker Rey who two days after the LockBit admin panel leak posted that the HellCat RaaS was closed and transferred to another party and they have no connection with HellCat ransomware anymore:

Evil Corp LockBit connection

On February 26, 2025, login attempts by two adverts, specifically Evilcorpfuckfishers and Evilcorpwatchyou were logged in the 'system invalid requests' table of the leaked database. These identifications, while potentially tangential, are noteworthy given the previously established connections between LockBit affiliates and Evil Corp as per the NCA Operation Cronos publication:

It is plausible that individuals associated with the Evil Corp cybercrime group still maintain an operational relationship with the LockBit RaaS group.

LockBit earnings

Earnings from victims

An analysis of LockBit negotiation chats revealed 18 confirmed payments to cryptocurrency wallets believed to be under the control of LockBit affiliates (see Appendix B). Based on a conversion rate of $92,000 USD per 1 BTC, our findings show that the estimated earnings of the LockBit ransomware operations between December 2024 and April 2025 are approximately 2,337,000 USD.

An analysis of the 'btc addresses' table, containing approximately 60,000 Bitcoin addresses, showed that only 19 addresses had transaction records. These 19 addresses appear to be cryptocurrency wallets under the control of the LockBit owner, designated for receiving 20% of ransom payments as per the LockBit RaaS affiliate rules. Notably, 18 of these addresses correlated with 18 confirmed ransom payments from victim organizations, each representing 20% of the final agreed ransom amount. The remaining transaction, involving $2 USD, was initiated by the affiliate Dezed941 potentially as a test transaction to a LockBit-controlled BTC wallet. Therefore, it can be inferred that the nearly 60,000 Bitcoin addresses were not the intended recipient BTC addresses for victim ransom payments. Instead, these BTC addresses were generated and assigned by the LockBit operator to affiliates for the purpose of remitting their 20% share of the negotiated ransom payment:

In total, the LockBit RaaS owner received approximately USD 456,000 in earnings derived from ransom payments. Notably, a substantial proportion of these earnings, nearly $390,000 USD (4.22 BTC), originated from a single victim of the advert Swan who made a ransom payment of $2,000,000 USD (21.1 BTC).

Earning from affiliate invites

The leaked LockBit admin panel database's 'invites' table contained 2,338 BTC and 1,335 Monero (XMR) wallet addresses. Everyone attempting auto-registration for LockBit’s admin panel access were assigned one of these wallets and required to pay a $777 USD fee. On the RAMP underground forum LockBit claimed to have earned approximately $100,000 USD in the last six months from these auto-registration invite fees alone:

Translation of Figure 19:

An investigation into associated BTC wallet addresses showed that only 12 of the 2,338 wallets exhibited one or two transactions wherein invitees remitted $777 USD to cryptocurrency addresses controlled by the LockBit operator. The remaining BTC wallets demonstrated no transactional activity. Consequently, it is deduced that LockBit accrued $9,324 USD from auto-registration based on Bitcoin wallet transactions, and a mere 0.5% of newly registered affiliates paid the required registration fee. 

Due to the inherent privacy features of the Monero blockchain, transaction tracing across 1,335 XMR wallet addresses was not feasible. However, assuming an equivalent 0.5% adverts payment rate for Monero addresses, that would yield LockBit approximately seven XMR, equivalent to roughly $1,500 USD.

To sum it up, we believe LockBit's revenue derived from auto-registration invitations amounts to approximately $10,000-$11,000 USD over the preceding 5-6 months. The assertion made by LockBit on the RAMP underground forum, which claimed monthly earnings of $100,000 USD from auto-registration, is thus considered to be significantly exaggerated.

Furthermore, LockBit suggests that the ‘Lite’ admin panel featuring auto-registration is designated for lower-level affiliates, while verified adverts work with the full admin panel. Our analysis reveals that the Lite panel had verified affiliates who worked on high-value targets with similarly substantial payouts. Therefore we believe that the sole distinction between the Lite and full LockBit admin panels lies in the auto-registration feature of the LockBit Lite panel, which the LockBit operator implemented in an attempt to generate additional revenue by extending access to all parties. Our findings from the leaked database indicated that this strategy for augmented income was not particularly effective.

Conclusion

The LockBit admin panel leak offers a fascinating and unsettling glimpse into the inner workings of a major ransomware operation. Several aspects stand out. The victimology data reveals some unexpected targeting patterns. It's particularly surprising to see such a concentrated effort on Chinese and Taiwanese organizations. Unlike other ransomware groups that might shy away from such politically sensitive targets, LockBit appears to have operated with a different calculus.

Then there's the negotiation process employed by the affiliates. The data paints a picture of varying strategies, with initial ransom demands ranging from modest to exorbitant. What’s clear is that substantial discounts were the norm, often between 10% and 80%, highlighting the haggling that goes on behind the scenes of these cyber extortion attempts. Affiliate success within LockBit varied significantly, indicating differences in skill and potentially specialization in specific familiar industries and/or countries.

Finally, the question of earnings. According to our analysis of the leaked data, LockBit RaaS earned around $2,3 million USD within 5 months. However, LockBit’s claims of pulling in $100,000 USD a month only from auto-registration fees are clearly inflated. The reality, based on traceable transactions, is significantly lower, closer to $10,000-$11,000 USD over several months. This underscores a critical point: you can't trust cyber criminals, especially those engaged in ransomware. They will exaggerate their successes and downplay their failures. What this leak truly shows is the complex and ultimately less glamorous reality of their illicit ransomware activities. While profitable, it’s far from the perfectly orchestrated, massively lucrative operation they’d like the world to believe it is.

Appendices

Appendix A

Possible LockBit affiliates including their contact details and extra information:

Appendix B

Victim payment details extracted from leaked negotiation chats where ransom amounts were explicitly specified:

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/