LockBit 5.0 Infrastructure Exposed in New Server, IP, and Domain Leak

LockBit 5.0 key infrastructure exposed, revealing the IP address 205.185.116.233, and the domain karma0.xyz is hosting the ransomware group’s latest leak site.

According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with “LOCKBITS.5.0,” confirming its role in the group’s operations.

Scans reveal multiple open ports on 205.185.116.233, including vulnerable remote access, exposing the server to potential disruption. RDP on port 3389 stands out as a high-risk vector, potentially allowing unauthorized access to the Windows host.

LockBit 5.0, which emerged around September 2025, supports Windows, Linux, and ESXi, features randomized file extensions, geolocation-based evasion (skipping Russian systems), and accelerated encryption via XChaCha20.

To read the complete article see: LockBit 5.0 Infrastructure Exposed