Nearly 60,000 Bitcoin addresses linked to the notorious LockBit ransomware gang have been exposed following a successful hack of the group’s dark web affiliate panel. The leak, which included a publicly shared MySQL database, has opened a rare window into the internal workings of one of the most dangerous cybercrime groups in the world.

The breach did not reveal any private keys, meaning the wallets cannot be drained, but it has equipped law enforcement and blockchain analysts with critical metadata. The dump includes 20 tables, one of which documents customized ransomware builds created by affiliates. It also includes a “chats” table containing over 4,400 private negotiation messages between LockBit and its victims.

LockBit has long been a dominant force in ransomware, known for targeting critical infrastructure globally. In early 2024, a coalition of 10 countries coordinated efforts to disrupt its operations after the group inflicted billions in damage. This latest breach could further destabilize their criminal network.

Analysts also found clues linking this breach to a previous incident involving the Everest ransomware group. The message left by the hackers was nearly identical to that used in Everest’s site defacement, suggesting a possible connection or even a coordinated takedown.

While LockBit claims no data loss occurred beyond the wallet addresses, the leak could lead to deeper investigations. Each ransomware victim was assigned a unique Bitcoin address for payments, and this data may now help trace ransom flows and potentially identify connected wallets and actors.

This breach underscores how deeply crypto remains embedded in the global ransomware economy—and how even cybercriminals aren't immune to being hacked themselves.