Operation Leak Takedown of LeakBase Cybercriminal Forum
The FBI, working with European and other international law enforcement partners, seized and dismantled the LeakBase cybercriminal forum and marketplace in a coordinated action dubbed “Operation Leak.” LeakBase, active since 2021 and run as a subscription-based service, was used to buy, sell, and share stolen databases and sensitive data including compromised credentials, PII, payment data, and other access-enabling information; authorities warned that the forum facilitated activity that could enable access to U.S.-based networks, including potentially critical infrastructure.
Authorities redirected LeakBase domains (including leakbase[.]ws and leakbase[.]la) to an FBI seizure banner and moved DNS to bureau-controlled infrastructure (e.g., ns1.fbi.seized.gov, ns2.fbi.seized.gov). The takedown was executed under U.S. and German court orders, and officials stated they secured and preserved the forum’s content for evidentiary purposes, including user accounts, posts, private messages, and IP logs. The operation reportedly included 100 law enforcement actions against 45 targets across more than a dozen countries, disruption of hosting infrastructure spanning locations such as the Netherlands and Malaysia, and outcomes including 13 arrests, 32 searches, and interviews with 33 suspects; the investigation was led by the FBI’s Salt Lake City field office, and the FBI solicited tips via FBI-SU-Leakbase@fbi.gov.
Related Entities
Organizations
Sources
5 more from sources like cso online, help net security, flareio blog, cyberscoop and cyber security news
Related Stories
International Law Enforcement Takedown of LeakBase Cybercrime Marketplace
An international law-enforcement operation involving the **FBI**, **Europol**, and authorities across **14 countries** seized infrastructure used by **LeakBase**, a major cybercrime marketplace/forum used to trade stolen data, exploits, and hacking services. Investigators reportedly seized LeakBase domains, displayed seizure banners, executed search warrants, and made arrests; forum data (including user accounts, messages, and IP logs) was preserved to support follow-on investigations and deterrence efforts. Separate reporting in the same news cycle described other unrelated cyber developments, including Europol-led disruption of the **Tycoon2FA** phishing-as-a-service platform (used for adversary-in-the-middle MFA bypass), a guilty plea tied to the **Phobos** ransomware operation, a newly documented China-linked espionage cluster (**CL-UNK-1068**) targeting critical sectors in Asia, an unverified **ShinyHunters** extortion claim against *Woflow*, suspected DPRK-linked intrusions against cryptocurrency firms, and a pro-Iranian/pro-Palestinian ransomware ecosystem shift from **Sicarii** to **BQTLock**. Those items do not materially change the core LeakBase takedown but indicate continued pressure on cybercrime infrastructure alongside ongoing ransomware and espionage activity.
1 weeks agoLaw Enforcement Seizure of BreachForums Used for Salesforce Extortion
U.S. and French law enforcement agencies, including the FBI and France’s BL2C cybercrime unit, have seized the primary domains of BreachForums, a notorious hacking forum operated by the ShinyHunters group. The forum, previously known for facilitating cybercriminal activity, had recently shifted its focus from a traditional discussion platform to a dedicated leak and extortion portal. This portal was being used to publish and threaten the release of data stolen from Salesforce and its corporate customers as part of an ongoing extortion campaign. High-profile companies such as Qantas, Disney, McDonald’s, and UPS were among the reported victims of this campaign, which relied heavily on social engineering tactics to compromise Salesforce accounts. The seizure notice, now displayed on the forum’s clearnet domain, features the logos of U.S. and French authorities, signaling the international cooperation behind the takedown. Despite the seizure of the clearnet site, the group’s onion (dark web) domain remains operational, continuing to threaten the release of stolen data. ShinyHunters, under the new moniker Scattered Lapsus$ Hunters, confirmed the loss of their infrastructure in a PGP-signed statement, acknowledging that all their domains and backend servers had been taken by law enforcement. They also admitted that database archives and escrow data dating back to 2023 are now under FBI control, effectively compromising years of criminal records and transactions. The group stated that no core administrators had been arrested, but they would not attempt to relaunch BreachForums, warning that such forums are now likely to be law enforcement honeypots. The seizure was timed to prevent the public release of sensitive Salesforce customer data, which the group had threatened to leak at a specified deadline. Law enforcement’s action represents a significant disruption to the infrastructure supporting ransomware and extortion operations targeting major corporations. The operation also highlights the ongoing evolution of cybercriminal tactics, as forums transition from discussion boards to direct extortion platforms. Despite the takedown, the threat actors insist that their Salesforce campaign remains unaffected, and their dark web leak site continues to list affected companies. The incident underscores the persistent threat posed by groups like ShinyHunters and the challenges faced by law enforcement in fully dismantling their operations. The seizure of BreachForums is the latest in a series of law enforcement actions targeting cybercrime forums, following previous takedowns such as RaidForums. The event demonstrates the importance of international collaboration in combating cyber-enabled extortion and data theft. Organizations affected by the Salesforce campaign are advised to monitor for potential data leaks and strengthen their security posture against social engineering attacks. The broader cybersecurity community is watching closely to see if the disruption of BreachForums will have a lasting impact on the underground economy or simply drive activity further underground.
5 months ago
FBI Seizure of the RAMP Cybercrime Forum
U.S. law enforcement has **seized the RAMP cybercrime forum**, a long-running hub used to advertise and facilitate ransomware operations, malware distribution, and other illicit services. Both the forum’s Tor presence and clearnet domain (reported as `ramp4u[.]io`) were replaced with an FBI seizure banner indicating coordination with the U.S. Attorney’s Office for the Southern District of Florida and the DOJ’s Computer Crime and Intellectual Property Section; the forum’s administrator reportedly acknowledged the takedown publicly on the XSS forum. Reporting notes RAMP emerged as a dedicated venue for ransomware promotion after other major forums restricted such activity, and that criminal communities are already attempting to migrate to alternative platforms. Separate reporting also highlighted other cybercrime enforcement actions (including indictments tied to **Ploutus**-based ATM jackpotting and other marketplace disruptions), but those are distinct from the RAMP seizure. A different, unrelated incident involved a **supply-chain compromise of eScan antivirus** update infrastructure in which attackers briefly pushed a backdoor via a trojanized `Reload.exe` that altered update settings, established persistence via a scheduled task, and contacted a C2 to retrieve additional payloads; this event is not connected to the RAMP takedown and should be tracked independently as a vendor update-channel compromise affecting customer environments.
1 months ago