The FLINT Report: May 28 | Inside the LockBit Leak, Uncovering the DPRK's Remote IT Worker Scheme, and What to Expect from the EUVD

Inside the LockBit Leak: Rare Insights Into Their Operations

The notorious LockBit ransomware operation suffered a major setback on May 7, 2025, when unknown attackers breached and defaced their affiliate login panels. The defacement included a pointed message, “Don’t do Crime CRIME IS BAD xoxo from Prague.” However, the bigger setback came when the attackers leaked an SQL database containing multiple tables and datasets from LockBit’s administrative panel, an interface used by affiliates and administrators to manage ransomware activities.

Now, with the tables turned, the data breach offers an unprecedented look into one of the most prolific ransomware operations of the last decade. The leaked data exposes key elements of LockBit’s internal infrastructure, including details about its affiliates, victim organizations, ransom demands, and private communications, offering new visibility into the group’s operations.

Continue reading.

Flashpoint Investigation: Uncovering the DPRK’s Remote IT Worker Fraud Scheme

On December 12, 2024, the U.S. Department of Justice indicted fourteen North Korean nationals for infiltrating U.S.-based companies and nonprofits by using stolen identities to obtain remote IT jobs. Over the past six years, this operation has funneled at least $88 million to the North Korean government (DPRK). Since the scheme was exposed, organizations across the Fortune 500, tech, and cryptocurrency sectors have uncovered additional covert DPRK operatives siphoning off funds, intellectual property, and sensitive information.

Drawing on Flashpoint’s extensive intelligence collection, our analysts launched an investigation into the scheme—one that revealed the specific tactics, techniques, and procedures (TTPs) these threat actors use to operate under the radar. The breakthrough? Leveraging malware infections that had targeted the actors themselves, our team accessed internal communications that offered rare insight into their methods and motivations.

View Investigation

What to Expect from the EUVD: Addressing Key Questions and Its Place in the Vulnerability Intelligence Ecosystem

The European Union Agency for Cybersecurity (ENISA) has officially launched the European Vulnerability Database (EUVD)—a publicly accessible repository marking Europe’s strategic push toward greater independence in vulnerability intelligence (VI).

This move follows growing instability around the Common Vulnerabilities and Exposures (CVE) program, which recently received only a short-term contract extension through March 2026, sparking widespread concern over its long-term sustainability.

In today’s fast-moving threat landscape, organizations can no longer rely solely on centralized, delayed, and constrained systems like CVE and the National Vulnerability Database (NVD). The EUVD raises a critical question: Can it offer the real-time, independent, and resilient VI the cybersecurity industry needs?

In our latest post, we break down the key takeaways, challenges, and potential impacts of the EUVD, answering the most pressing questions about how this development fits into the future of global vulnerability intelligence.

Learn about EUVD.

Get to Know Flashpoint

We hope you’re enjoying The FLINT Report! This newsletter is created by Flashpoint, a risk intelligence company headquartered in Washington, D.C. Our mission is to deliver timely, actionable intelligence to organizations in the public and private sectors, and help them help protect their most critical assets, infrastructure, and stakeholders from a wide range of cyber and physical security risks. Visit flashpoint.io to learn more.