When Hackers Get Hacked: Lessons From Underground Betrayals

Hackers like to cultivate an aura of invincibility. Movies depict them as masterminds who slip through digital defenses at will. But in reality, cybercriminals stumble in all the same ways enterprises do — bad passwords, insider betrayal, unpatched software, even simple arrogance. And when hackers get hacked, the fallout can be spectacular.

From North Korea’s state-backed espionage teams to ransomware giants like Conti and LockBit, recent years have seen high-profile breaches that turned the tables on attackers. For defenders, these betrayals and leaks aren’t just hacker soap operas — they’re intelligence goldmines that reveal how adversaries really operate.

Hackers Aren’t Invincible

One of the most striking revelations from hacker-on-hacker incidents is how ordinary the mistakes are.

Take the Conti ransomware leaks. The group’s downfall didn’t hinge on one betrayal, but on two separate waves of exposure. In 2022, after Conti declared support for Russia’s invasion of Ukraine, insiders leaked over 60,000 internal chat logs, source code, and playbooks. The documents showed Conti operating like a corporate enterprise — complete with HR, management hierarchies, and explicit instructions for affiliates to search victim networks for cyber insurance policies, proof that ransom demands were carefully calculated.

Then in 2025, a whistleblower calling themselves “GangExposed” raised the stakes, publicly outing Conti’s leadership by name and role. What began as operational leaks escalated into real-world identification—stripping away the veil of anonymity that cybercriminal groups rely on.

“Hackers are not invincible… they do have vulnerabilities themselves,” stated Sherri Davidoff, founder of LMG Security.

For defenders, the lesson is clear: don’t mythologize adversaries. They’re fallible operators who face insider threats, reuse infrastructure, and overlook patches just like everyone else.

From Conti to LockBit: Recycled Tools, Familiar Mistakes

Conti’s collapse didn’t just weaken one gang, it reshaped the ransomware ecosystem. When the group’s ransomware builder source code leaked in 2022, rivals wasted no time repurposing it. LockBit, eager to recruit disaffected Conti affiliates, rolled out “LockBit Green,” a strain built directly on Conti’s leaked software.

But LockBit soon discovered that borrowed tools come with baggage. In 2025, its affiliate management panel was hacked through a PHP vulnerability, exposing internal negotiations, payment records, and campaign-building tools. For a group that marketed itself as the “world’s fastest ransomware,” the breach was a humiliating reminder that even cybercriminal platforms are riddled with vulnerabilities.

For defenders, this demonstrates that attackers’ infrastructure is as fragile as yours. Studying their leaks reveals the same security gaps enterprises face: unpatched software, misconfigured servers, and insider risks.

The Royal vs. LockBit Feud: Hacker Drama With Real Consequences

The underground isn’t just a marketplace — it’s a battleground of egos. Case in point: the feud between LockBit and Royal, a group believed to be a Conti offshoot. When rival operators clashed on underground forums, the fight escalated into full-blown doxxing—with personal details, photos, and even passport numbers of senior members exposed.

These disputes aren’t just gossip. They create intelligence opportunities for defenders and law enforcement, providing unprecedented visibility into leadership structures and operational tactics. As one industry analyst put it, ransomware rivalries have become a “cybersecurity soap opera” — but one with real-world impact.

North Korea’s 9-to-5 Hackers

Sometimes, hacker leaks reach the level of geopolitics. At DEF CON 2025, hackers “Saber” and “Cyborg” revealed a breach of Kimsuky, a North Korean espionage group. The 8.9GB dump exposed phishing tools, Linux infrastructure, and even the regimented 9-to-5 work schedules of its operatives.

The leak was a rare glimpse into nation-state operations — and a gift to defenders. Security vendors quickly integrated the leaked indicators of compromise (IOCs) into threat feeds, helping organizations worldwide harden defenses. “It’s very rare for us to get this window into the operations of a nation-state actor,” Davidoff noted.

The message is clear: even state-sponsored adversaries can be exposed — and defenders should capitalize on every leak to strengthen detection and response.

What Defenders Can Learn

So what can CISOs, risk managers, and IT leaders take away from hacker betrayals?

1. Don’t mythologize adversaries. State actors and ransomware gangs are fallible. Design defenses to exploit their mistakes.
2. Invest in visibility. Many hacker exposures happened because attackers reused credentials, tools, or infrastructure—the same patterns defenders can detect if monitoring is strong. Monitor your attack surface and logs.
3. Watch for insider threats. Just as insiders crippled Conti, disgruntled employees or contractors can compromise enterprises. Proactively monitor for early warning signs. Read our blog on insider threat detection for more actionable advice.
4. Use leaks for training. Incorporate intelligence from hackers’ leaked playbooks, tools, and chat logs into tabletop exercises to sharpen staff skills.
5. Adapt your IR playbooks. Update your incident response plans based on real-world adversary tactics. For example, if attackers are searching for insurance files, secure yours.

The Cyber Privateer Question

Meanwhile, policymakers are asking whether defenders should go on the offensive. Congress is debating whether to revive “letters of marque”—licenses that would authorize private hackers to strike back at foreign adversaries.

But hack-back carries enormous risks. As Davidoff cautioned during a recent Cyberside Chats on this topic, escalation could easily spill into civilian infrastructure: “The more we start hacking each other and it becomes lawless, the more legitimate organizations are just hit with the shrapnel.”

For now, organizations are best served by focusing on defense, not retaliation.

Conclusion: Learn From the Leaks

Hackers thrive on secrecy, but betrayal and exposure are constants in the underground. Each leak—from Conti’s playbooks to Kimsuky’s phishing servers—is an opportunity for defenders to adapt. By studying adversary mistakes and incorporating their tactics into training and incident response, organizations can turn hacker missteps into defensive strength.

At LMG Security, we help organizations translate intelligence into action. From tabletop exercises that simulate real-world adversary tactics to penetration testing that mirrors today’s most advanced attacks, contact us for a risk assessment, technical testing, training, and other cybersecurity services. We’ll ensure your team is ready for whatever comes next.