Database Tables

In early May 2025, LockBit’s dark-web admin and affiliate panel was hijacked by an anonymous actor who defaced the site with the taunt “Don’t do crime. CRIME IS BAD. xoxo from Prague” and posted a link to paneldb_dump.zip, a MySQL archive (created April 29, 2025) that exposed the inner workings of the ransomware-as-a-service operation.

The 20-table dump includes affiliate and admin accounts, thousands of negotiation transcripts, CI/CD-style build records, and a trove of bitcoin payout addresses. Independent analysts later validated the dataset’s authenticity and mined it for insights, including counts of tens of thousands of wallet addresses and evidence of standardized playbooks across affiliates. The leak, arriving about a year after law-enforcement’s Operation Cronos disruption, provided investigators, journalists, and defenders with a rare, first-party window into LockBit’s business model and money flows.

api_history

Rows: 0
Columns: 6
Size: 16.0 KB
API request logging and monitoring. Tracks system access patterns and usage.
View Data

btc_addresses

Rows: 59975
Columns: 5
Size: 6672.0 KB
Bitcoin wallet addresses and transaction tracking. Contains approximately 60,000 cryptocurrency addresses associated with users or builds.
View Data

builds

Rows: 1183
Columns: 18
Size: 1552.0 KB
Ransomware build configurations and metadata. Stores victim company domain names, revenue amounts, and build dates. Contains over 630 unique domains including test environments.
View Data

builds_configurations

Rows: 1183
Columns: 6
Size: 3600.0 KB
Ransomware build configuration details. Stores technical specifications and settings for different build types.
View Data

chats

Rows: 4423
Columns: 14
Size: 1552.0 KB
Communication logs between LockBit operators and victims. Repository of nearly 4,200 messages from victims attempting to recover their data.
View Data

clients

Rows: 246
Columns: 26
Size: 48.0 KB
Victim organization information and session management. Tracks client interactions, payment status, and decryption progress.
View Data

events

Rows: 0
Columns: 4
Size: 16.0 KB
System event logging and audit trail. Records administrative actions and system changes.
View Data

events_seen

Rows: 0
Columns: 4
Size: 16.0 KB
Event acknowledgment tracking. Monitors which events have been reviewed by administrators.
View Data

faq

Rows: 1
Columns: 4
Size: 16.0 KB
Frequently asked questions and help content. Provides guidance for affiliates and users.
View Data

files

Rows: 1015
Columns: 10
Size: 176.0 KB
File storage and download tracking metadata. Contains information about files uploaded, processed, or stored within the LockBit system.
View Data

invites

Rows: 3693
Columns: 8
Size: 1552.0 KB
User invitation system and registration tracking. Contains invitation tokens and links sent to victims with associated Bitcoin/Monero wallet addresses and ransom amounts.
View Data

jobs

Rows: 0
Columns: 7
Size: 16.0 KB
Background task management. Handles system maintenance and processing jobs.
View Data

migrations

Rows: 34
Columns: 3
Size: 16.0 KB
Database schema version control. Tracks structural changes and updates.
View Data

news

Rows: 5
Columns: 4
Size: 16.0 KB
System announcements and updates. Contains operational communications and group updates.
View Data

pkeys

Rows: 30000
Columns: 8
Size: 10768.0 KB
Encryption keys and security credentials. Stores public/private key pairs and decryption information for ransomware operations.
View Data

socket_messages

Rows: 5339
Columns: 5
Size: 1552.0 KB
Real-time communication data. Stores WebSocket messages and real-time system communications.
View Data

system_invalid_requests

Rows: 3245
Columns: 12
Size: 1552.0 KB
Security monitoring and threat detection. Tracks invalid or unauthorized requests to identify exploitation attempts.
View Data

testfiles

Rows: 0
Columns: 8
Size: 16.0 KB
Testing and development files. Contains sample files used for system testing and validation.
View Data

users

Rows: 75
Columns: 26
Size: 64.0 KB
User accounts and authentication information for LockBit affiliates and administrators. Contains usernames, passwords, and messenger IDs for system access.
View Data

visits

Rows: 2398
Columns: 4
Size: 112.0 KB
User activity tracking. Monitors system access patterns and user behavior.
View Data