LockBit represents one of the longest-running and most structured ransomware gangs of recent years, with a Ransomware-as-a-Service (RaaS) model that has profoundly impacted the criminal ecosystem.
Following the international operation Operation Cronos, conducted in February 2024 and which led to the seizure of numerous infrastructures and the compromise of affiliated management panels, the group seemed destined for irreversible decline. However, in recent weeks, new evidence on the onion network is fueling speculation of a resurrection of the LockBit brand, under the acronym LockBit 5.0.
Brief history of the group
2019 – Appearance of the first LockBit variants, characterized by rapid propagation automation in Windows environments and advanced encryption techniques.
2020-2021– Consolidation of the RaaS model and strong expansion in the cybercrime scene; Introduction of data leak sites as a double extortion tool.
2022 – LockBit becomes one of the most active groups globally, releasing versions LockBit 2.0 and 3.0, with implementations in multiple languages and cross-platform payloads.
2023 – Further diversification with payloads in Go and Linux, and campaigns targeting supply chains and critical sectors.
2024 (Operation Cronos) – Coordinated by Europol and the FBI, the operation leads to the seizure of over 30 servers, onion domains and internal tools. For the first time, a public decryptor is deployed on a large scale.
Recent evidence
Analyzing their underground site reveals a portal accessible via the onion network branded LockBit 5.0, which adopts the same queue panel scheme already observed in previous versions of the group. The interface features logos associated with Monero (XMR), Bitcoin (BTC), and Zcash (ZEC) as payment methods, indicating that the extortion model remains focused on highly anonymous cryptocurrencies.
The message “You have been placed in a queue, awaiting forwarding to the platform” recalls the classic mechanisms of LockBit affiliate panels, where the user (or affiliate) is routed to the operational backend.
Technical analysis and possible scenarios
The appearance of LockBit 5.0 can be interpreted according to three main scenarios:
Attempt to Real Resurrection: A portion of the core team not affected by Operation Cronos may have rebuilt a reduced infrastructure, aiming to recruit new affiliates.
Honeypot Operation: The possibility that this was a decoy created by researchers or law enforcement to monitor traffic and identify surviving affiliates has not been ruled out.
Opportunistic Rebranding: Third-party actors, taking advantage of the LockBit “brand,” could reuse it to gain immediate visibility and authority in the underground scene.
Conclusions
Although there is currently no concrete evidence of new compromises linked to LockBit 5.0, the presence of an officially branded onion portal fuels speculation about a possible resurgence of the group. It will be crucial to monitor:
any new intrusion campaigns with TTPs linked to LockBit’s past,
active leak sites with victims published,
signs of recruitment on the dark web.
This incident once again demonstrates the resilience and adaptability of cyber gangs, which often manage to regenerate even after law enforcement operations with global reach.
Pietro Melillo Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities.
Leads the CTI Team "RHC DarkLab"
Pietro Melillo