International Law Enforcement Takedown of LeakBase Cybercrime Marketplace
An international law-enforcement operation involving the FBI, Europol, and authorities across 14 countries seized infrastructure used by LeakBase, a major cybercrime marketplace/forum used to trade stolen data, exploits, and hacking services. Investigators reportedly seized LeakBase domains, displayed seizure banners, executed search warrants, and made arrests; forum data (including user accounts, messages, and IP logs) was preserved to support follow-on investigations and deterrence efforts.
Separate reporting in the same news cycle described other unrelated cyber developments, including Europol-led disruption of the Tycoon2FA phishing-as-a-service platform (used for adversary-in-the-middle MFA bypass), a guilty plea tied to the Phobos ransomware operation, a newly documented China-linked espionage cluster (CL-UNK-1068) targeting critical sectors in Asia, an unverified ShinyHunters extortion claim against Woflow, suspected DPRK-linked intrusions against cryptocurrency firms, and a pro-Iranian/pro-Palestinian ransomware ecosystem shift from Sicarii to BQTLock. Those items do not materially change the core LeakBase takedown but indicate continued pressure on cybercrime infrastructure alongside ongoing ransomware and espionage activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers observe spike in retaliatory hacktivist activity
Security researchers reported a surge in retaliatory hacktivist operations following U.S.-Israel strikes on Iran, with most activity involving DDoS attacks, data leaks, and service disruption. The reporting also noted concurrent threats including SMS phishing malware and alleged IRGC-linked targeting of regional energy and digital infrastructure.
Researchers disclose Coruna iOS exploit kit and PlasmaLoader activity
Researchers reported a previously unknown iOS exploit kit called Coruna, with multiple exploit chains affecting iOS 13 through iOS 17.2.1. They said it had been used in surveillance-vendor-linked activity, suspected Russian espionage watering holes, and financially motivated fake sites, followed by deployment of a loader named PlasmaLoader for data theft.
Phobos-linked operator Evgenii Ptitsyn pleads guilty
Russian national Evgenii Ptitsyn, identified as a key figure in the Phobos ransomware ecosystem, pleaded guilty to conspiracy to commit wire fraud. Authorities said the ransomware operation affected more than 1,000 victims and generated tens of millions of dollars in ransom payments.
Authorities disrupt Tycoon2FA phishing-as-a-service platform
A multinational law-enforcement effort led by Europol disrupted the Tycoon2FA phishing-as-a-service operation and seized hundreds of domains used for phishing and command-and-control. The action was reported alongside the LeakBase takedown as a separate operation.
Operation Leak dismantles LeakBase cybercrime forum
An international law-enforcement operation involving 14 countries took the LeakBase cybercrime marketplace/forum offline. Europol and partner agencies publicly described the action as part of Operation Leak.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation Leak Takedown of LeakBase Cybercriminal Forum
The **FBI**, working with European and other international law enforcement partners, seized and dismantled the **LeakBase** cybercriminal forum and marketplace in a coordinated action dubbed **“Operation Leak.”** LeakBase, active since 2021 and run as a subscription-based service, was used to buy, sell, and share stolen databases and sensitive data including **compromised credentials**, **PII**, payment data, and other access-enabling information; authorities warned that the forum facilitated activity that could enable access to U.S.-based networks, including potentially **critical infrastructure**. Authorities redirected LeakBase domains (including `leakbase[.]ws` and `leakbase[.]la`) to an FBI seizure banner and moved DNS to bureau-controlled infrastructure (e.g., `ns1.fbi.seized.gov`, `ns2.fbi.seized.gov`). The takedown was executed under U.S. and German court orders, and officials stated they secured and preserved the forum’s content for evidentiary purposes, including user accounts, posts, private messages, and **IP logs**. The operation reportedly included **100 law enforcement actions** against **45 targets** across more than a dozen countries, disruption of hosting infrastructure spanning locations such as the Netherlands and Malaysia, and outcomes including **13 arrests**, **32 searches**, and interviews with **33 suspects**; the investigation was led by the FBI’s Salt Lake City field office, and the FBI solicited tips via `FBI-SU-Leakbase@fbi.gov`.
Apr 13, 2026
Law Enforcement Disrupts Cybercrime Networks and Arrests Ransomware and Fraud Suspects
International and national law enforcement actions were reported targeting a range of cybercrime activity, including ransomware, extortion, and large-scale fraud. SentinelOne summarized multiple cases: Dutch authorities arrested a man accused of attempting to extort officials after receiving sensitive documents by mistake and refusing to delete them; Polish authorities detained a suspect linked to the **Phobos** ransomware-as-a-service ecosystem as part of Europol-coordinated **Operation Aether**, seizing materials such as stolen credentials and access information; and **Operation Red Card 2.0** (coordinated through Interpol/AFJOC) resulted in hundreds of arrests across multiple African countries, along with seizures of devices, takedowns of malicious sites, and recovery of funds tied to investment fraud and mobile-money/loan scams. Separately, Security Affairs’ weekly newsletter highlighted additional ongoing cyber risk items that align with the same broad theme of active cybercrime and enforcement pressure, including an **FBI warning** about a surge in **ATM jackpotting** losses and reporting on **Operation Red Card 2.0**. Other items in the Security Affairs roundup (e.g., additions to CISA’s KEV catalog, vendor/software issues, and various malware reports) were presented as a curated link list rather than a single unified incident. A SOCRadar profile on the China-attributed **Lotus Blossom** espionage group and a Tom’s Hardware historical piece on the first computer search warrant are not part of the law-enforcement disruption story and do not materially support the same specific event narrative.
Mar 21, 2026
International Takedown Disrupts Phobos and 8Base Ransomware Networks
Authorities in a coordinated international operation arrested alleged key affiliates tied to the **Phobos** ransomware-as-a-service operation and the **8Base** extortion group, with enforcement actions reported across multiple jurisdictions including Thailand. The U.S. Department of Justice said Phobos affiliates were arrested as part of a broader disruption effort, while Europol described the suspects as central figures behind two of the most active ransomware threats targeting organizations worldwide. The crackdown also included the seizure of **8Base** infrastructure, including its leak site, dealing a visible blow to the group’s public extortion operations. Reporting from Europol and security outlets linked **8Base** closely to **Phobos**, indicating that investigators targeted both the malware supply chain and the actors using it to conduct intrusions, encrypt systems, and pressure victims into paying ransoms.
May 25, 2026