“Don’t do crime—CRIME IS BAD xoxo from Prague.” Recently, LockBit’s Dark Web leak site featured a simple message and a zipped archive link. The file included the Ransome group’s internal data, including its confidential conversation with the victims. This news made LockBit the talk of the cyber town, some mocking it for testing its own medicine, and others amused at the vulnerability of the cyber landscape, where even cybercriminals are not safe from cyberattacks. 

Is Cryptocurrency a Safe Haven for Cybercriminals? 

After data analysis, Coalition researchers found 60,000 Bitcoin addresses and more than 4,000 chats with victims between Dec. 19, 2024, and April 29, 2025. Interestingly, the ransom group was offering a 20% discount to those using Monero for ransom payments. This revelation has highlighted the dark side of decentralized digital currencies, becoming a haven for illicit finance, including ransom payments, where cybercriminals prefer those cryptocurrencies that offer more privacy-centric architecture. 

Who is LockBit? 

LockBit is a notorious ransomware gang operating since 2019. The group has developed its malicious software, releasing several iterations, including LockBit 2.0 in June 2021 and LockBit 3.0 (also known as LockBit Black) in June 2022. Each new version brought enhanced capabilities, targeting a wider range of operating systems like Windows, Linux, VMware ESXi, and macOS. LockBit operates on an affiliate model, where the core group develops and maintains the ransomware, and affiliates carry out the attacks, sharing a percentage of the ransom payments.

Who Hacked LockBit? 

Hacking LockBit is not a piece of cake. It is currently unclear who breached LockBit’s network. However, the note ‘Don’t do crime’ was also on the Everest ransomware gang leak site last month when it was hacked. It seems like a cyber Robinhood has debuted in the cyber landscape, but Robinhood is just punishing cyber criminals. 

Modus Opperundi of LockBit

LockBit is a centralized cyber gang that operates systematically, following a set pattern of crime. At first, it accesses the victim’s data through phishing or weak RDP. Then it exfiltrates the data through double extortion. The next step is file encryption, and lastly, the ransom note is delivered. Those victims who do not comply with the demand face data publication or data leak. 

Operation Cronos

Last year, an international law enforcement group started Operation Cronos against LockBit, which led to the arrest of several LockBit members, including Dmitry Yuryevich Khoroshev, a Russian national and the alleged ringleader of LockBitSupp.