DarkVault’s slip-up exposes link to LockBit

Striking similarities between parts of DarkVault’s site and LockBit’s branding, which suggest that the gangs are linked, were uncovered by Security researcher Dominic Alvieri. DarkVault’s mirror sites bear a striking resemblance to LockBit’s dark leak site, down to the font, colours, and even the ransom demand countdown clock.

However, after Alvieris shared his revelation on X, any traces of LockBit on DarkVault’s blog mysteriously vanished, suggesting a hasty correction by the gang.

Despite the completion of DarkVault’s ransomware blog layout, it remains devoid of any victims. DarkVault describes itself as an exclusive online community dedicated to exploring technology, privacy, and security. Its founders, ‘Neroces’ and ‘criminaldo.’, are listed on the contact page.

The blog hints at DarkVault’s potential expansion into new services, including ‘Doxes, BlackHat Services, and Pwned Sites.’ While most pages remain empty, the BlackHat Services category lists a range of illegal activities and financial frauds. This includes defacing websites, bank check templates, cookie logins, and spamming, alongside more sinister actions like bomb threats, drug recipes, account brute-forcing, and malware creation. Ironically, the blog’s artwork features a cat atop a vault amidst ongoing tensions between LockBit and rival ransomware gang ALPHV/BlackCat.

Both LockBit and ALPHV occupy top spots in the ransomware crime hierarchy, with strong ties to Russia’s cyber underworld. Together, they have carried out over 1,400 attacks globally According to Cybernews’ Ransomlooker, LockBit accounted for 47% of all publicly announced ransomware victims in the past year.