NOTE: I started this story before Operation Cronos. Hence you can see tiny details getting unfold before the FBI/Europol Compromise and afterwards. This article mainly focuses on the mighty comeback of LockBit Group and their approach after Operation Cronos and does NOT attribute to the Identity of LockBitSupp. Moreover, it is a collection of events in the LOCKBIT Series observed that had gone unnoticed and also discusses about the periodic development of LockBit Group Activities.
INTRODUCTION
THE COMEBACK
VICTIMIZATION
LOCKBIT INFRASTRUCTURE HUNT
LOCKBIT MOVING TO TORRENT FILE SHARES
VICTIM CASE STUDY: CRINETICS
LOCKBIT LEAK HOSTING
UNRELATED LOCKBIT DOMAIN
LOCKBIT IMITATORS AROUND
LOCKBIT AFFILIATE?
REALITY CHECK?
LEAK DATE EXTENSION: ADOPTION OF NEWER APPROACH
OPERATION CRONOS: PART 2
LOCKBIT TOX STATUS UPDATES
CONCLUSION
UPDATE 1
UPDATE 2
💡INSIDE LOCKBIT4.0 CHAT
💡INTELLIGENCE: LOCKBIT4.0 SAMPLES
LOCKBIT 5.0 ANNOUNCEMENT
LOCKBIT 5.0 SAMPLE ANALYSIS
USES OF VHASH IN THREAT HUNTING
LOCKBIT 5.0 VICTIMS ANNOUNCED
💡LOCKBIT 5.0: EXPOSING REAL IP
💡LEAK CLAIM ANALYSIS
LOCKBIT 5.0 RESPONSE
LOCKBIT ANNOUNCED NEW TOR DOMAINS FOR TORRENT
PANEL INFILTRATION
IOC
INTRODUCTION
After the ban of LockBit on forums like XSS or Exploit and Law Enforcement Infiltration of LockBit via Operation Cronos, it is evident that the group had lost a few of their internal files such as Negotiation Panel, Affiliated Member List, Victim Database, Chats and Decryption Keys got exposed to the public and their well-built reputation got a taint.
LockBit bounces back | Credit: Self-Gen AI
Initially, on their comeback, LockBit had published past leaks (before Operation Cronos). But the same had been criticized in the infosec community about the re-use of old leaks, the Group had withdrawn it and came back with a fresh batch of victims.
This article is purely going to focus on the 2nd reign of LOCKBIT!
THE COMEBACK
After OPERATION CRONOS Part 1, it took about a week for LockBit to resurface with their all mirror servers back online with listing new victims on their Data Leak Site (DLS).
LockBit DLS Page
All the victims are given an average of 29-Day negotiation time frame before leaking the entire data on the LockBit leak servers to the public.
Currently, the victim list is clocked at 200+ (Post Operation Cronos) which signifies their strong presence in the Corporate Ransomware Scenario.
NOTE: Operation Cronos had made a greater impact to cripple LockBit. But the group goes strong defending all the drawbacks.
VICTIMIZATION
LockBit started to victimize more often, even including reputed targets such as the US Government wing DSIB — The Government of the District of Columbia Department of Insurance, Securities and Banking (DISB) regulates financial-service businesses, Polycab, OracleCMS, Nampak, Crinetics, etc.
However, it is found that the victim’s data appears lately on their site, unlike it was a regular upload feature before Operation Cronos.
In some cases (such as Polycab, Krueth and CasaJove); the leaks are not yet listed even after the deadline, which is suspicious. This could be due to the loss of data from LockBit at the time of Operation Cronos OR the victims might have paid the ransom.
While checking the Victim Geography, we can see that the US tops the list; followed by the UK, Germany, Canada, India, and France.
NOTE: While analyzing the data, it was found that LockBit had listed 235 Victims (ATTOW) after Operation Cronos Part 1 & 2. For info, you may contact me.
LOCKBIT INFRASTRUCTURE HUNT
During the analysis, it was found that LockBit maintains a stable server to host large leaks on a new Onion Domain:-
This leak site is running on nginx/1.25.4; which is the latest version of NGINX (ATTOW) as promised by LockBit to avoid any unpatched versions after Operation Cronos Part — 1.
Their main DLS is the following which is running on nginx/1.24.0
During my research, LockBit’s original IP got exposed:-
One of the Original IPs of LockBit Blog
By digging further, we can extrapolate the following details:-
IP: 5.182.5.126 ASN: 49505 Location: Russia Server: NGINX
NOTE: The same IP has a historic connection with a domain: waralbum.ru which was associated with BuhTrap Banking Trojan in 2016
Old LockBit Servers (now controlled by Europol or Operation Cronos) were using Apache/2.4.57 (Debian). The LockBit group had moved to the NGINX server with the newest stable Onion Domains.
LOCKBIT MOVING TO TORRENT FILE SHARES
On March 9, 2024 LockBit Operators made 18 Vanity Onion Domains online listing about 710+ Clients, along with Torrent Files to make downloading easier.
NOTE: All the Onion Domains are listed at the end of the article in the IOC Section
In mid-November 2023: Lockbit decided to make Torrent files for all of its victims for easier accessibility. All victim’s data (Torrent Version) packaged and assigned a 5-Char name instead of a company name such as I85F5, 7E6EE, V4DV5, LIHD9, PLPT7 etc.
LockBit Leaks in Torrent Platform
While digging further, it is also observed that a file tree for each victim is also being created on the same day i.e. 9th March 2024.
All the torrent trackers of LockBit leaks are connected to:-
Torrenting of Leaks is not a new approach as Clop Ransomware Gang had already used it earlier, back in September 2023. This helps them to club the traffic with the public and the leaked file will stay longer as it’s been shared in a decentralized fashion.
VICTIM CASE STUDY: CRINETICS
Crinetics is being listed by LockBit as the work of a shadow group or an affiliate whose data is not being claimed directly by LockBit.
Initial Deadline for Crinetics
On 20th March, as an Update; the group had listed 8 screenshots of the negotiation taking place between LockBit and Victim.
The demand was: $4M; but the client could pay up to $1.8M.
Negotiation between Victim and LockBit
On April 2, as the negotiation did not turn up fruitful, the group extended its leak date to 7th April, 2024, along with an explanation stating that LockBit had terminated the communication with the victim who had provided the information to Recorded Future, which failed the instructions provided by LockBit.
Crinetics Leak Statement about upcoming Full Disclosure
Finally, LockBit affiliate closed this chapter on April 11, 2024 by increasing the ransom for Information Destruction and Data Download to $7M.
The BTC Wallets demanded for Crinetics are below mentioned:-
NOTE: It is observed that the Chat Transcript of this client is purposefully put by LockBit on its Shame Page and the same is not observed for any other victims. Either this could be a warning message for the public to prove that the Negotiation takes place in Millions OR this act might not be carried out directly by LockBit but the work of an affiliate.
LOCKBIT LEAK HOSTING
The newly released data of victims (post Europol Episode) are initially hosted in Mega, instead of dedicated LockBit Data Servers as it takes more operational time to upload the databases to LockBit servers.
And later moved to their dedicated LockBit servers.
It can be assumed that this could be a non-LockBit affiliate or there could be a storage issue, as LockBit (or affiliates) decided to store it in a separate Onion Domain, unrelated to LockBit.
For this client, they have given BTC and XMR Addresses similar to Crinetics, however the BTC Addresses are different, but XMR remains the same.
A new pattern was found for the well-known targets where LockBit extends their Leak Period from 5 Days to an additional 10 days, hence delaying the leak.
LOCKBIT IMITATORS AROUND
It is found that there are various scammers around the cyber corners on various sources such as Telegram Channels, Discord Servers etc. Even sometimes, we can see Ransom Note imitating the LockBit style of attacks.
Ransom Note of Fake LockBit
NOTE: Here, you can see that the imitator had used genuine LockBit URLs and TOX ID to show the genuinity of LockBit. But when it comes to the XMPP, the same ID is present in CryptBB Ransomware which dates back to November 2022.
Many noobs got hold of the leaked build of LockBit and weaponized it to random targets, searching to hit a jackpot. The intended targets may misidentify them as legitimate LockBit and hence may end up paying them.
Telegram Post about Fake LockBit Dealers
Here is another chat transcript with a fake LockBitSupp on the Telegram Platform where he charges $500 as a joining fee to a private group:-
Chat with Fake LockBitSupp
In another scenario, the victim companies that are leaked by LockBit are being re-surfaced by other groups such as “Dispossessor” by listing the same LockBit victims. Here you can see the screenshot of the same from their website:-
By observing their victim list, it is found that the group had listed 80% of clients from LockBit and also listed a few victims from 3AM and 8Base as well.
NOTE: This act indicates that there are groups who regularly download the leaks and list them after a while by launching a new website.
NOTE 2: If you want to read LockBit Imitators exclusively, I have already made a Research Article a couple of months back. You can check it out here.
LOCKBIT AFFILIATE?
While checking for the LockBit Affiliates on the Dark Web, it was found that a Russian member named “Hexonium” on a deep web forum claimed to be an affiliate of LockBit by providing the genuine Onion Domain of LockBit.
While checking the Forum activity and URL used, we can see that this member has been active since December 2023.
Hexonium User Profile
While navigating through the posts, we can see:-
Hexonium Thread Interaction
Hexonium does not initiate/start any thread in the community and all (S)he does is interact with the breaches by posting “nigger” as a common term in all posts.
Hence we cannot rely on Hexonium as a genuine affiliate as we have seen many skids use LockBit aura to radiate the fear among the victims; especially when LockBit Black got leaked in September 2022.
NOTE: Hexonium is the name given to an In-Game Cryptocurrency, a project from Cardano. The image used by the forum user also signals the strong liking of Cardano platform by the user.
REALITY CHECK?
Here is the direct interaction with the LockBitSupp where he denies any involvement in other channels.
Chat Transcript with LockBitSupp (LockBit Admin)
LEAK DATE EXTENSION: ADOPTION OF NEWER APPROACH
It is found that the group is delaying its leak from the already-set timer. This does not apply to all listed victims, however observed for a few.
Polycab is one such example where the initial leak date was April 5 but again got extended to April 22, 2024. Once the timer is set off, the data is not yet listed (ATTOW). It could have been lost during 1st batch of Operation Cronos Campaign.
Another well-known corp from India “RJCorp” is scheduled to release on April 15th, which is missing from the current list.
There are 2 possibilities for this.
Either the party had paid the ransom and their name got removed from the Data Leak Site
OR
It might be an empty threat of LockBit to inflate their victim count.
OPERATION CRONOS: PART 2
On the first week of May 2024, Europol posted the following update on the previously compromised website of LockBit:-
Europol Message on Old LockBit Onion Site (BEFORE REVEAL)
According to the post, the identity of LockBitSupp and other LockBit affiliates was revealed on May 7, 14:00 UTC.
As per the revelation, the identity of LockBitSupp is traced to a Russian National named “Dmitry Yuryevich Khoroshev”.
FBI Notice on Old LockBit DLS
Following are the events that were observed after the LockBit Identity Reveal:-
Soon after this disclosure, many security researchers began to scoop up the details of the alleged member using email addresses and phone numbers shared.
1 Hour after the Identity Reveal, LockBitSupp came up with the following status :-
The FBI is bluffing, I m not Dimon, I feel sorry for the real Dimon ))) oh and he will get pussy for my sins )))
3) After this status update, many in the industry started to co-relate this as a defensive approach of Khoroshev to unproven himself.
This may be true, but we never know at this moment.
4) The following day, on May 9th -> LockBit had added 77 new victims to their DLS domain. Some of the victims were re-appeared in the new batch. This could be to inflate the number of victims, hence delivering an overall impression of the high-number of single-batch infections.
New Batch of Victims loaded to LockBit DLS after Operation Cronos Part 2
5) LockBit also added a new message on DLS titled “contest.omg” where he challenged the community to communicate with Dmitry and provide evidence through their new portal.
LockBit Challenge Post after Op. Cronos 2Special Service setup by LockBit to submit proofs about Dmitry
6) The old sites (that are controlled by Feds) are being shut down now (which were active for 4 days).
Old LockBit Site shuts by NCA/Europol
LOCKBIT TOX STATUS UPDATES
Here are the important STATUS-UPDATES of LockBitSupp. Captured at different intervals:-
все на шашлындос Everything is on the Barbeque
ФБР блефует, я не Демон, мне жаль настоящего Демона))) о, и он получит пизды за мои грехи))) The FBI is bluffing, I m not Dimon, I feel sorry for the real Dimon ))) oh and he will get pussy for my sins )))
Придумайте как доказать, что я не Демон? Как показать всему миру что ФБР ошиблись или специально подставили Демона? Can you figure out how to prove that I'm not a Demon? How can we show the whole world that the FBI made a mistake or deliberately framed a Demon?
участвуем в конкурсе, условия в блоге We particiapte in the competition, conditions in the blog
CONCLUSION
When it comes to Takedowns: It is not as effective as claimed. As RaaS is a profitable business, this trend will continue. The arrest of a group paves the way for the comeback/birth of the next group with a more defensive approach.
In this case, it is not yet clear how Europol landed on Khoroshev. In short, no substantial evidence had been provided to establish an active link between Khoroshev and LockBit, but assumption of similar timelines.
At the same time, due to the secrecy of the operation, we can’t assure that Dmitry is NOT LockBitSupp.
We have to wait for a bit longer to unveil the truth as LockBitSupp has announced that it’s no more about money for them, but the victim count.
NOTE: This is a developing story and you can see the updates once I get it.
UPDATE 1
LockBit became less active for a couple of weeks, but announced the major Data Breach by listing US FEDERAL RESERVE; Central Banking System of US. The group claimed to have infiltrated about 33TB of data (which comprises Banking Information).
This turned out to be a false alarm as the data of Evolve Bank was present in the leak, which may or may not be (in)directly associated with US Federal Reserve.
The group also introduced new Onion Domain (TOR URL) recently:-
On December 19, 2024, LockBit announced a new domain on their DLS named “lockbit4.com”.
NOTE: Many people ran behind this domain on the clear-web, which was registered on 19th December 2024 from New Zealand, concealing their identity. But this domain was made out by the group to spread the word about their resurgence.
While checking the leaks, we can see the following image while opening the link:-
5 new Onion Domains are introduced by the group with new Access Key: ADTISZRLVUMXDJ34RCBZFNO6BNKLEYKYS5FZPNNXK4S2RSHOENUA tagging it as “LockBit 4”. They are:-
Unlike previous Ransom Notes of LockBit, this time, they have made minor changes in their Ransom Note. Following is the image of Ransom Note captured:-
INSIDE LOCKBIT4.0 CHAT
The victims are welcomed with the following panel:-
The group claims to have used AES and ECC (Elliptic Curve Cryptography) Algorithms. The group does not explicitly mentioned about the algorithm, but it can be assumed that Curve25519 is being used, which is notably used by other Ransomware Groups like RansomHub, RA Group, Babuk etc.
In the chat, we can see that the group had introduced 3 new URLs dedicated for File Upload Service (Sample File Decryption) which are more than 10MB in size.
Following are the latest Powershell files used by LockBit Group. There is a possibility that these files would be a part of 2022 batch as some of the samples found traces back to 2022 timeline.
The group had announced their 5th Version of LockBit on 6th Anniversary of LockBit Ransomware Group on 3rd August 2025. The group had earlier discussed about this update on their RAMP Forum a few months back.
However, it is important to note that these newly set domains are not linked to the legacy TOR Domains of LockBit Ransomware, except the inclusion of same TOX ID.
Moreover, the DLS does not display any new victims from LockBit Group since April 2025. And the main DLS remains offline sometimes.
This indicates that LockBit 5.0 could be another gang impersonating LockBit or a honey-trap set-up by FBI to tail the Affiliates.
LOCKBIT5.0 SAMPLE ANALYSIS
While observing the samples of LockBit5.0, an interesting fact found. Most of the samples share a similar VHash. This indicates Identical builder and same builder configuration (same embedded config, same compilation options, same stub, same packer settings, same encryption keys placeholder, etc) are used to generate the samples. Only the final encryption key or a tiny mutable field was inserted later (or not at all yet).
They will encrypt the same way, drop the same ransom note, contact the same C2 domains (or have the same placeholder), use the same extension, etc.
Following are the list of LockBit5.0 Samples identified along with VHash Value:-
While analyzing the VHash, another interesting fact found. All VHash starts with “0”.
2 Samples with Same VHash
VHashes of LockBit5.0 are identical except first 3 bits. Rest are followed by: 056657d15151″z which is same. This is same for all the 8 samples identified.
USES OF VHASH IN THREAT HUNTING
📌This would help to eliminate False Positives while analyzing the samples at bulk 📌No need to analyze multiple samples with same VHash 📌Also helps to identify LockBit 5.0 Samples though the Creation Time is altered 📌This also helps to identify if any project got forked/mirrored blindly
On December 4, 2025; the group had listed 23 Victims on their newly announced DLS.
Out of 23 Victims listed, 10 victims are from previous batch with the timeline of Early 2025 (April).
Among this, 1 is claimed by Weyhro Ransomware and another one from RansomHouse Ransomware earlier.
All victims are having a countdown timer with 15 Day before the official leak.
LOCKBIT 5.0: EXPOSING REAL IP
Upon digging deep, I came across the real IP used by LockBit 5.0 Group which is hosted with AS53667 (PONYNET).
205.185.116.233
Upon further scan, a domain is also found to be displaying the same LockBit 5.0 Logo with same DDOS Message as shown above.
karma0.xyz
The above domain is registered on 2nd November 2025, as we can see the group had resumed their activities after a short silence.
It is also found that Lockbit Group had used Smokeloader in their attacks. Below is the Hash of the Smokeloader used by Lockbit Group:-
MD5: e818a9afd55693d556a47002a7b7ef31
LEAK CLAIMS ANALYSIS
While checking 39 victims listed (as of 7th December 2025), it is found that there are 11 are recycled from Early 2025 LockBit leaks. They are:-
Crystal-D
Vision Products
KLL-Law
Hennessy Funds
Graphique de France
AQHCH
Fepasa
Grupotersa
Bioclima
Ende
AEAMG
Some of the X-claims (Cross Claims) includes:-
Terra Carribean: Weyhro
Intellion: RansomHub
Cadopt: BianLian
Marriott: Conti
LOCKBIT 5.0 RESPONSE
Soon after the exposure of real IP, the group was frustrated and displayed the message as following:
Ofcourse, they are not happy about my finding! 🙂
They also displayed a Comic Horror GIF on their exposed Clear Web Domain too!
LOCKBIT 5.0 DATA LEAK : VIA TORRENT
On 18th December 2025, LockBit 5.0 began to leak the listed victims via Torrent Network. It is notable that the group had made use of same network peers via P2P Sharing.
LockBit continues to serve the Data Leaks via same Servers which were active a couple of months back! All the IPs recorded are from Russia 🇷🇺
Interestingly, Cl0p Ransomware group also makes use of same network for their Data Leaks (via Torrent). Out of 9 above mentioned IPs, 5 are overlapped with Clop Ransomware 0-Day EBS Data Leak Batch. This strongly suggests that a shared network (for Torrent) is seen among Ransomware Groups.
Based on the repeated Torrent (P2P) Seeds, it can be confirmed that ASN 216158 Teleport Rus LLC is a major player in hosting Data Leaks of the group.
LOCKBIT ANNOUNCED NEW TOR DOMAINS FOR TORRENT
Lockbit Ransomware Group creates several Onion TOR Domains for serving Victim Data Leaks as the leaks are large-sized which are often impossible to download at a single-go.
This is a trend which has been active since Lockbit 3.0 where the group creates 10 Vanity TOR Onion Domains with keyword “lockbit” to serve the Victim Breach via Torrent downloads.
Following is the set of Onions created by LockBit 5.0 group to channelize data breaches.
Torrent Onion Domains of LockBit 5.0
This same Modus Operandi has been spotted in April 2024; when LockBit group was running LockBit 3.0 version.
2023 vs 2025: LockBit TOR Onion Domains
A batch of 10 TOR Onion Domains are created to share the leaks. In 2025; we have found 2 batches of Torrent Domains created by the group.
Here is the list of TOR Onion Domains created exclusively for Torrent (P2P) Share Network:
Here, we have noticed the group is aggressively using various methods to leak the data in a customizable manner. The user is free to choose the method to obtain the data.
PANEL INFILTRATION
On 14th January 2026; Security Researcher Matthew Maynard was able to access the panel of Lockbit 5.
While inspecting panel, found following info:
LockBit 5 RaaS Panel
Here, it is evident that the group maintains 4 versions of LockBit Variants namely:- ChuongDong, Black, Linux and ESXi.
Additionally a Chat ID is also present to generate a chat with victims as well as Admin.
Another Researcher Arda Büyükkaya managed to obtain the panel and generate few LockBit 5 samples on the fly.
Screenshot of Chat panel
Some of the samples generated from ChuongDong Variant:
Sample Batch #1
Here is another set of samples generated of LB Linux variants:
Leave a Reply