International Law Enforcement Takedown of LeakBase Cybercrime Marketplace
An international law-enforcement operation involving the FBI, Europol, and authorities across 14 countries seized infrastructure used by LeakBase, a major cybercrime marketplace/forum used to trade stolen data, exploits, and hacking services. Investigators reportedly seized LeakBase domains, displayed seizure banners, executed search warrants, and made arrests; forum data (including user accounts, messages, and IP logs) was preserved to support follow-on investigations and deterrence efforts.
Separate reporting in the same news cycle described other unrelated cyber developments, including Europol-led disruption of the Tycoon2FA phishing-as-a-service platform (used for adversary-in-the-middle MFA bypass), a guilty plea tied to the Phobos ransomware operation, a newly documented China-linked espionage cluster (CL-UNK-1068) targeting critical sectors in Asia, an unverified ShinyHunters extortion claim against Woflow, suspected DPRK-linked intrusions against cryptocurrency firms, and a pro-Iranian/pro-Palestinian ransomware ecosystem shift from Sicarii to BQTLock. Those items do not materially change the core LeakBase takedown but indicate continued pressure on cybercrime infrastructure alongside ongoing ransomware and espionage activity.
Sources
Related Stories
Operation Leak Takedown of LeakBase Cybercriminal Forum
The **FBI**, working with European and other international law enforcement partners, seized and dismantled the **LeakBase** cybercriminal forum and marketplace in a coordinated action dubbed **“Operation Leak.”** LeakBase, active since 2021 and run as a subscription-based service, was used to buy, sell, and share stolen databases and sensitive data including **compromised credentials**, **PII**, payment data, and other access-enabling information; authorities warned that the forum facilitated activity that could enable access to U.S.-based networks, including potentially **critical infrastructure**. Authorities redirected LeakBase domains (including `leakbase[.]ws` and `leakbase[.]la`) to an FBI seizure banner and moved DNS to bureau-controlled infrastructure (e.g., `ns1.fbi.seized.gov`, `ns2.fbi.seized.gov`). The takedown was executed under U.S. and German court orders, and officials stated they secured and preserved the forum’s content for evidentiary purposes, including user accounts, posts, private messages, and **IP logs**. The operation reportedly included **100 law enforcement actions** against **45 targets** across more than a dozen countries, disruption of hosting infrastructure spanning locations such as the Netherlands and Malaysia, and outcomes including **13 arrests**, **32 searches**, and interviews with **33 suspects**; the investigation was led by the FBI’s Salt Lake City field office, and the FBI solicited tips via `FBI-SU-Leakbase@fbi.gov`.
1 weeks ago
Law Enforcement Disrupts Cybercrime Networks and Arrests Ransomware and Fraud Suspects
International and national law enforcement actions were reported targeting a range of cybercrime activity, including ransomware, extortion, and large-scale fraud. SentinelOne summarized multiple cases: Dutch authorities arrested a man accused of attempting to extort officials after receiving sensitive documents by mistake and refusing to delete them; Polish authorities detained a suspect linked to the **Phobos** ransomware-as-a-service ecosystem as part of Europol-coordinated **Operation Aether**, seizing materials such as stolen credentials and access information; and **Operation Red Card 2.0** (coordinated through Interpol/AFJOC) resulted in hundreds of arrests across multiple African countries, along with seizures of devices, takedowns of malicious sites, and recovery of funds tied to investment fraud and mobile-money/loan scams. Separately, Security Affairs’ weekly newsletter highlighted additional ongoing cyber risk items that align with the same broad theme of active cybercrime and enforcement pressure, including an **FBI warning** about a surge in **ATM jackpotting** losses and reporting on **Operation Red Card 2.0**. Other items in the Security Affairs roundup (e.g., additions to CISA’s KEV catalog, vendor/software issues, and various malware reports) were presented as a curated link list rather than a single unified incident. A SOCRadar profile on the China-attributed **Lotus Blossom** espionage group and a Tom’s Hardware historical piece on the first computer search warrant are not part of the law-enforcement disruption story and do not materially support the same specific event narrative.
3 weeks ago
FBI Seizure of the RAMP Cybercrime Forum
U.S. law enforcement has **seized the RAMP cybercrime forum**, a long-running hub used to advertise and facilitate ransomware operations, malware distribution, and other illicit services. Both the forum’s Tor presence and clearnet domain (reported as `ramp4u[.]io`) were replaced with an FBI seizure banner indicating coordination with the U.S. Attorney’s Office for the Southern District of Florida and the DOJ’s Computer Crime and Intellectual Property Section; the forum’s administrator reportedly acknowledged the takedown publicly on the XSS forum. Reporting notes RAMP emerged as a dedicated venue for ransomware promotion after other major forums restricted such activity, and that criminal communities are already attempting to migrate to alternative platforms. Separate reporting also highlighted other cybercrime enforcement actions (including indictments tied to **Ploutus**-based ATM jackpotting and other marketplace disruptions), but those are distinct from the RAMP seizure. A different, unrelated incident involved a **supply-chain compromise of eScan antivirus** update infrastructure in which attackers briefly pushed a backdoor via a trojanized `Reload.exe` that altered update settings, established persistence via a scheduled task, and contacted a C2 to retrieve additional payloads; this event is not connected to the RAMP takedown and should be tracked independently as a vendor update-channel compromise affecting customer environments.
1 months ago