Cyber Incident Victim: PayBito

On February 5, 2022, the LockBit ransomware gang publicly claimed responsibility for a cyberattack against PayBito, a cryptocurrency exchange platform operated by HashCash Consultants. The group listed PayBito on its Tor-based leak site, announcing the theft of sensitive data from the exchange’s systems. According to LockBit’s post, the compromised data included personal information from over 100,000 PayBito customers worldwide, with a significant portion of users based in the United States. The attackers also exfiltrated email addresses and password hashes, which they asserted were vulnerable to decryption due to the use of a weak hashing algorithm by PayBito. Additionally, administrative credentials and personal details of PayBito’s administrators were stolen. LockBit issued a ransom ultimatum, threatening to publish the entire dataset on February 21, 2022, unless PayBito paid an unspecified ransom. The gang offered the stolen data for sale via the Tox messaging platform, targeting potential buyers interested in exploiting the compromised credentials and personal information.

LockBit, active since September 2019, had recently rebranded its operations as LockBit 2.0 in June 2021, operating as a ransomware-as-a-service (RaaS) model. The group employed tactics consistent with other ransomware operators, including language-based targeting that excluded systems using Eastern European languages. Following the banning of ransomware advertisements on prominent hacking forums, LockBit established its own dedicated leak site to promote its affiliate program and host stolen data. The incident occurred amid heightened law enforcement scrutiny of LockBit’s activities, with the FBI releasing a flash alert containing technical indicators of compromise related to the gang’s operations shortly before the PayBito disclosure. No public statements from PayBito or HashCash regarding incident response, containment measures, or ransom negotiations were referenced in the available source material.