nationalcrimeagency.gov.uk 16 August 2025 - The National Crime Agency leads the UK's fight to cut serious and organised crime.
A cyber criminal who hacked into the websites of organisations in North America, Yemen and Israel and stole the log in details of millions of people has been jailed.
Al Tahery AL MASHRIKYAl-Tahery Al-Mashriky, 26, from Rotherham, South Yorkshire, was arrested by specialist National Crime Agency cybercrime officers in August 2022, who were acting on intelligence supplied by US law enforcement around the activities of extremist hacker groups ‘Spider Team’ and ‘Yemen Cyber Army.
NCA investigators were able to link Al-Mashriky to the Yemen Cyber Army through social media and email accounts.
Forensic analysis of his laptop and several mobile phones showed that Al-Mashriky had infiltrated a number of websites including the Yemen Ministry of Foreign Affairs, the Yemen Ministry of Security Media and an Israeli news outlet.
His offending centred around gaining unauthorised access to the websites, then creating hidden webpages containing his online monikers and messaging that furthered his religious and political ideology.
He would often target websites with low security, gaining kudos in the hacking community for the sheer number of infiltrations.
Using one of his many online aliases, Al-Mashriky claimed on one cybercrime forum that he had hacked in to over 3,000 websites during a three month period in 2022.
However, a review of his seized laptop by NCA Digital Forensic Officers revealed the extent of his cyber offending. He was in possession of personal data for over 4 million Facebook users and several documents containing usernames and passwords for services such as Netflix and Paypal, which could be used for further acts of cybercrime.
Investigators found that in February 2022, after hacking into the website for Israeli Live News he accessed admin pages and downloaded the entire website. He had also hacked into two Yemeni government websites, deploying tools to scan for usernames and vulnerabilities.
Al-Mashriky was also found to have targeted faith websites in Canada and the USA as well as the website for the California State Water Board.
The NCA, working with international law enforcement partners, was able to obtain accounts from the victims of these intrusions, who gave detailed insights into the significant cost and inconvenience he had caused.Al-Mashriky was due to stand trial at Sheffield Crown Court in March this year for 10 offences under the Computer Misuse Act.
However, on 17 March he pleaded guilty to nine offences and was sentenced to 20 months imprisonment at the same court yesterday (15 August).
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said: “Al-Mashriky’s attacks crippled the websites targeted, causing significant disruption to their users and the organisations, just so that he could push the political and ideological views of the ‘Yemen Cyber Army’.
“He had also stolen personal data that could have enabled him to target and defraud millions of people.
“Cybercrime can often appear faceless, with the belief that perpetrators hide in the shadows and can avoid detection. However, as this investigation shows, the NCA has the technical capability to pursue and identify offenders like Al-Mashriky and bring them to justice.”
The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.
All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip."
LockBit dark web site defaced with link to database
As first spotted by the threat actor, Rey, this archive contains a SQL file dumped from the site affiliate panel's MySQL database.
From analysis by BleepingComputer, this database contains twenty tables, with some more interesting than others, including:
A 'btc_addresses' table that contains 59,975 unique bitcoin addresses.
A 'builds' table contains the individual builds created by affiliates for attacks. Table rows contain the public keys, but no private keys, unfortunately. The targeted companies' names are also listed for some of the builds.
A 'builds_configurations' table contains the different configurations used for each build, such as which ESXi servers to skip or files to encrypt.
A 'chats' table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th.
Affiliate panel 'chats' table
Affiliate panel 'chats' table
A 'users' table lists 75 admins and affiliates who had access to the affiliate panel, with Michael Gillespie spotting that passwords were stored in plaintext. Examples of some of the plaintext passwords are 'Weekendlover69, 'MovingBricks69420', and 'Lockbitproud231'.
In a Tox conversation with Rey, the LockBit operator known as 'LockBitSupp' confirmed the breach, stating that no private keys were leaked or data lost.
Based on the MySQL dump generation time and the last date record in the negotiation chats table , the database appears to have been dumped at some point on April 29th, 2025.
It's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent breach of Everest ransomware's dark web site, suggesting a possible link.
