Luca Stivali : 13 September 2025 09:46
A déjà-vu with new implications. In May 2025, the LockBit ransomware collective suffered a severe blow: the defacement of the affiliate panel of version 4.0 by an unknown actor signing themselves “XOXO from Prague”, accompanied by the leak of an SQL database containing chats, wallets, and affiliate data.
At that time, LockBitSupp had even offered a reward for anyone who provided information about the author. Over the past 24 hours, the scene has repeated itself, but with a significant twist: this time, not just a public deface, but an internal compromise of the 5.0 build panel.
The leaked screenshots show the Linux builder with several fields altered by XOXO from Prague.
A clear sign of sabotage: not only damaging the public image, but also demonstrating how the operational infrastructure of the new RaaS platform remains vulnerable.
This technical compromise further undermines the credibility of LockBit, which after the deface in May had promised greater security with version 5.0. For affiliates, the episode represents a direct risk: the builder itself, the heart of operations, is no longer reliable.
The actor remains unknown, but has now consolidated his profile as a serial saboteur of LockBit. After exposing the group with a public defacement, he has now demonstrated his ability to manipulate the platform’s internal logic. A reaction from LockBitSupp is expected soon, perhaps with new threats or an additional bounty.
LockBit is dealing with a second open wound in just a few months: from the May deface to the September compromise, the “XOXO from Prague” brand is becoming synonymous with instability and ridicule of the ransomware group.
A blow that not only damages its reputation but could undermine affiliates’ trust in the entire RaaS ecosystem.
Luca Stivali