Operation Leak Takedown of LeakBase Cybercriminal Forum
The FBI, working with European and other international law enforcement partners, seized and dismantled the LeakBase cybercriminal forum and marketplace in a coordinated action dubbed “Operation Leak.” LeakBase, active since 2021 and run as a subscription-based service, was used to buy, sell, and share stolen databases and sensitive data including compromised credentials, PII, payment data, and other access-enabling information; authorities warned that the forum facilitated activity that could enable access to U.S.-based networks, including potentially critical infrastructure.
Authorities redirected LeakBase domains (including leakbase[.]ws and leakbase[.]la) to an FBI seizure banner and moved DNS to bureau-controlled infrastructure (e.g., ns1.fbi.seized.gov, ns2.fbi.seized.gov). The takedown was executed under U.S. and German court orders, and officials stated they secured and preserved the forum’s content for evidentiary purposes, including user accounts, posts, private messages, and IP logs. The operation reportedly included 100 law enforcement actions against 45 targets across more than a dozen countries, disruption of hosting infrastructure spanning locations such as the Netherlands and Malaysia, and outcomes including 13 arrests, 32 searches, and interviews with 33 suspects; the investigation was led by the FBI’s Salt Lake City field office, and the FBI solicited tips via FBI-SU-Leakbase@fbi.gov.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Russian police reportedly arrest alleged LeakBase owner
According to TASS, Russian police arrested the alleged administrator and creator of LeakBase after the forum's international takedown. Europol said it did not cooperate with Russian authorities and was not involved in the reported arrest.
Investigators solicit tips and begin prevention phase
After the seizure, authorities urged former users and people with information about LeakBase administrators to contact the FBI, while Europol said the case was moving into a prevention phase. Officials also warned that users migrating to other platforms could still be identified through seized data.
Operation Leak is publicly announced by DOJ, FBI, and Europol
On March 4, 2026, U.S. and European authorities publicly announced the dismantling of LeakBase under the name Operation Leak. They said the action was carried out under German and U.S. court orders and coordinated from Europol's headquarters in The Hague.
Authorities seize LeakBase domains and preserve forum data
On March 4, 2026, law enforcement technically disrupted LeakBase by seizing its domains, redirecting them to FBI-controlled infrastructure, and replacing the site with a seizure notice. Investigators said they secured the forum's database, user accounts, posts, private messages, payment details, and IP logs for evidentiary use.
Global enforcement actions target LeakBase users
On March 3, 2026, authorities in 14 countries launched coordinated enforcement actions against LeakBase and its most active users, including arrests, house searches, interviews, and knock-and-talk interventions. Reports describe about 100 actions worldwide, including measures against 37 high-activity users and more than 13 arrests.
Authorities record LeakBase's scale by December 2025
By December 2025, investigators said LeakBase had more than 142,000 registered members, roughly 32,000 posts, and over 215,000 private messages. These figures helped establish the forum's scale before the takedown.
Dutch investigation into LeakBase starts and expands internationally
According to Amsterdam police, the investigation into LeakBase began in the Netherlands in 2023 and was quickly broadened into an international effort. German investigators joined, the FBI worked closely with Dutch authorities, and Europol coordinated the wider operation.
LeakBase cybercrime forum begins operating
LeakBase, an English-language open-web forum and marketplace for stolen databases, stealer logs, credentials, and hacking tools, became active in 2021. It later grew into one of the larger cybercrime forums, with more than 142,000 registered users.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
22 references tracked. Mallory keeps watching after this page renders.
March 2026 Dark Web Issue Trends Report - ASEC
asec.ahnlab.com
Open sourceLeakBase's "Chucky" detained in Russia - DataBreaches.Net
databreaches.net
Open sourceLeakBase Hacker Forum Admin Arrested in Russia by Law Enforcement Authorities
cybersecuritynews.com
Open sourceRussia arrests alleged admin of LeakBase cybercrime forum | brief | SC Media
scworld.com
Open sourceSprawling FBI, European operation takes down Leakbase cybercriminal forum | The Record from Recorded Future News
therecord.media
Open sourceUS and EU police shut down LeakBase, a site accused of sharing stolen passwords and hacking tools | TechCrunch
techcrunch.com
Open sourceMajor data leak forum dismantled in global action against cybercrime forum - LeakBase had over 142 000 registered users, now under investigation by law enforcement | Europol
europol.europa.eu
Open sourceLeakBase seized, arrests made as part of global action - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
International Law Enforcement Takedown of LeakBase Cybercrime Marketplace
An international law-enforcement operation involving the **FBI**, **Europol**, and authorities across **14 countries** seized infrastructure used by **LeakBase**, a major cybercrime marketplace/forum used to trade stolen data, exploits, and hacking services. Investigators reportedly seized LeakBase domains, displayed seizure banners, executed search warrants, and made arrests; forum data (including user accounts, messages, and IP logs) was preserved to support follow-on investigations and deterrence efforts. Separate reporting in the same news cycle described other unrelated cyber developments, including Europol-led disruption of the **Tycoon2FA** phishing-as-a-service platform (used for adversary-in-the-middle MFA bypass), a guilty plea tied to the **Phobos** ransomware operation, a newly documented China-linked espionage cluster (**CL-UNK-1068**) targeting critical sectors in Asia, an unverified **ShinyHunters** extortion claim against *Woflow*, suspected DPRK-linked intrusions against cryptocurrency firms, and a pro-Iranian/pro-Palestinian ransomware ecosystem shift from **Sicarii** to **BQTLock**. Those items do not materially change the core LeakBase takedown but indicate continued pressure on cybercrime infrastructure alongside ongoing ransomware and espionage activity.
Mar 21, 2026
Law Enforcement Disrupts BreachForums and Targets Its Administrators
BreachForums, a cybercrime forum widely used to trade and leak stolen data, faced repeated disruption after administrators said they would shut it down over fears of law-enforcement infiltration. The closure concerns emerged after pressure on the forum's operators, underscoring growing operational risk for one of the most prominent marketplaces tied to breached databases and criminal data sales. Authorities later escalated that pressure by seizing BreachForums infrastructure in an FBI-led action, and subsequent reporting said French police arrested five alleged administrators linked to the site. The combined actions marked a sustained international crackdown on the forum's operators and supporting infrastructure, disrupting a major venue used by threat actors to advertise, sell, and publish compromised information.
May 25, 2026
Law Enforcement Seizure of BreachForums Used for Salesforce Extortion
U.S. and French law enforcement agencies, including the FBI and France’s BL2C cybercrime unit, have seized the primary domains of BreachForums, a notorious hacking forum operated by the ShinyHunters group. The forum, previously known for facilitating cybercriminal activity, had recently shifted its focus from a traditional discussion platform to a dedicated leak and extortion portal. This portal was being used to publish and threaten the release of data stolen from Salesforce and its corporate customers as part of an ongoing extortion campaign. High-profile companies such as Qantas, Disney, McDonald’s, and UPS were among the reported victims of this campaign, which relied heavily on social engineering tactics to compromise Salesforce accounts. The seizure notice, now displayed on the forum’s clearnet domain, features the logos of U.S. and French authorities, signaling the international cooperation behind the takedown. Despite the seizure of the clearnet site, the group’s onion (dark web) domain remains operational, continuing to threaten the release of stolen data. ShinyHunters, under the new moniker Scattered Lapsus$ Hunters, confirmed the loss of their infrastructure in a PGP-signed statement, acknowledging that all their domains and backend servers had been taken by law enforcement. They also admitted that database archives and escrow data dating back to 2023 are now under FBI control, effectively compromising years of criminal records and transactions. The group stated that no core administrators had been arrested, but they would not attempt to relaunch BreachForums, warning that such forums are now likely to be law enforcement honeypots. The seizure was timed to prevent the public release of sensitive Salesforce customer data, which the group had threatened to leak at a specified deadline. Law enforcement’s action represents a significant disruption to the infrastructure supporting ransomware and extortion operations targeting major corporations. The operation also highlights the ongoing evolution of cybercriminal tactics, as forums transition from discussion boards to direct extortion platforms. Despite the takedown, the threat actors insist that their Salesforce campaign remains unaffected, and their dark web leak site continues to list affected companies. The incident underscores the persistent threat posed by groups like ShinyHunters and the challenges faced by law enforcement in fully dismantling their operations. The seizure of BreachForums is the latest in a series of law enforcement actions targeting cybercrime forums, following previous takedowns such as RaidForums. The event demonstrates the importance of international collaboration in combating cyber-enabled extortion and data theft. Organizations affected by the Salesforce campaign are advised to monitor for potential data leaks and strengthen their security posture against social engineering attacks. The broader cybersecurity community is watching closely to see if the disruption of BreachForums will have a lasting impact on the underground economy or simply drive activity further underground.
Mar 21, 2026