International Law Enforcement Takedown of LeakBase Cybercrime Marketplace
An international law-enforcement operation involving the FBI, Europol, and authorities across 14 countries seized infrastructure used by LeakBase, a major cybercrime marketplace/forum used to trade stolen data, exploits, and hacking services. Investigators reportedly seized LeakBase domains, displayed seizure banners, executed search warrants, and made arrests; forum data (including user accounts, messages, and IP logs) was preserved to support follow-on investigations and deterrence efforts.
Separate reporting in the same news cycle described other unrelated cyber developments, including Europol-led disruption of the Tycoon2FA phishing-as-a-service platform (used for adversary-in-the-middle MFA bypass), a guilty plea tied to the Phobos ransomware operation, a newly documented China-linked espionage cluster (CL-UNK-1068) targeting critical sectors in Asia, an unverified ShinyHunters extortion claim against Woflow, suspected DPRK-linked intrusions against cryptocurrency firms, and a pro-Iranian/pro-Palestinian ransomware ecosystem shift from Sicarii to BQTLock. Those items do not materially change the core LeakBase takedown but indicate continued pressure on cybercrime infrastructure alongside ongoing ransomware and espionage activity.
Timeline
Mar 6, 2026
Researchers observe spike in retaliatory hacktivist activity
Security researchers reported a surge in retaliatory hacktivist operations following U.S.-Israel strikes on Iran, with most activity involving DDoS attacks, data leaks, and service disruption. The reporting also noted concurrent threats including SMS phishing malware and alleged IRGC-linked targeting of regional energy and digital infrastructure.
Mar 6, 2026
Researchers disclose Coruna iOS exploit kit and PlasmaLoader activity
Researchers reported a previously unknown iOS exploit kit called Coruna, with multiple exploit chains affecting iOS 13 through iOS 17.2.1. They said it had been used in surveillance-vendor-linked activity, suspected Russian espionage watering holes, and financially motivated fake sites, followed by deployment of a loader named PlasmaLoader for data theft.
Mar 6, 2026
Phobos-linked operator Evgenii Ptitsyn pleads guilty
Russian national Evgenii Ptitsyn, identified as a key figure in the Phobos ransomware ecosystem, pleaded guilty to conspiracy to commit wire fraud. Authorities said the ransomware operation affected more than 1,000 victims and generated tens of millions of dollars in ransom payments.
Mar 6, 2026
Authorities disrupt Tycoon2FA phishing-as-a-service platform
A multinational law-enforcement effort led by Europol disrupted the Tycoon2FA phishing-as-a-service operation and seized hundreds of domains used for phishing and command-and-control. The action was reported alongside the LeakBase takedown as a separate operation.
Mar 5, 2026
Operation Leak dismantles LeakBase cybercrime forum
An international law-enforcement operation involving 14 countries took the LeakBase cybercrime marketplace/forum offline. Europol and partner agencies publicly described the action as part of Operation Leak.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Operation Leak Takedown of LeakBase Cybercriminal Forum
The **FBI**, working with European and other international law enforcement partners, seized and dismantled the **LeakBase** cybercriminal forum and marketplace in a coordinated action dubbed **“Operation Leak.”** LeakBase, active since 2021 and run as a subscription-based service, was used to buy, sell, and share stolen databases and sensitive data including **compromised credentials**, **PII**, payment data, and other access-enabling information; authorities warned that the forum facilitated activity that could enable access to U.S.-based networks, including potentially **critical infrastructure**. Authorities redirected LeakBase domains (including `leakbase[.]ws` and `leakbase[.]la`) to an FBI seizure banner and moved DNS to bureau-controlled infrastructure (e.g., `ns1.fbi.seized.gov`, `ns2.fbi.seized.gov`). The takedown was executed under U.S. and German court orders, and officials stated they secured and preserved the forum’s content for evidentiary purposes, including user accounts, posts, private messages, and **IP logs**. The operation reportedly included **100 law enforcement actions** against **45 targets** across more than a dozen countries, disruption of hosting infrastructure spanning locations such as the Netherlands and Malaysia, and outcomes including **13 arrests**, **32 searches**, and interviews with **33 suspects**; the investigation was led by the FBI’s Salt Lake City field office, and the FBI solicited tips via `FBI-SU-Leakbase@fbi.gov`.
2 weeks ago
Law Enforcement Disrupts Cybercrime Networks and Arrests Ransomware and Fraud Suspects
International and national law enforcement actions were reported targeting a range of cybercrime activity, including ransomware, extortion, and large-scale fraud. SentinelOne summarized multiple cases: Dutch authorities arrested a man accused of attempting to extort officials after receiving sensitive documents by mistake and refusing to delete them; Polish authorities detained a suspect linked to the **Phobos** ransomware-as-a-service ecosystem as part of Europol-coordinated **Operation Aether**, seizing materials such as stolen credentials and access information; and **Operation Red Card 2.0** (coordinated through Interpol/AFJOC) resulted in hundreds of arrests across multiple African countries, along with seizures of devices, takedowns of malicious sites, and recovery of funds tied to investment fraud and mobile-money/loan scams. Separately, Security Affairs’ weekly newsletter highlighted additional ongoing cyber risk items that align with the same broad theme of active cybercrime and enforcement pressure, including an **FBI warning** about a surge in **ATM jackpotting** losses and reporting on **Operation Red Card 2.0**. Other items in the Security Affairs roundup (e.g., additions to CISA’s KEV catalog, vendor/software issues, and various malware reports) were presented as a curated link list rather than a single unified incident. A SOCRadar profile on the China-attributed **Lotus Blossom** espionage group and a Tom’s Hardware historical piece on the first computer search warrant are not part of the law-enforcement disruption story and do not materially support the same specific event narrative.
1 months ago
FBI Seizure of the RAMP Cybercrime Forum
U.S. law enforcement has **seized the RAMP cybercrime forum**, a long-running hub used to advertise and facilitate ransomware operations, malware distribution, and other illicit services. Both the forum’s Tor presence and clearnet domain (reported as `ramp4u[.]io`) were replaced with an FBI seizure banner indicating coordination with the U.S. Attorney’s Office for the Southern District of Florida and the DOJ’s Computer Crime and Intellectual Property Section; the forum’s administrator reportedly acknowledged the takedown publicly on the XSS forum. Reporting notes RAMP emerged as a dedicated venue for ransomware promotion after other major forums restricted such activity, and that criminal communities are already attempting to migrate to alternative platforms. Separate reporting also highlighted other cybercrime enforcement actions (including indictments tied to **Ploutus**-based ATM jackpotting and other marketplace disruptions), but those are distinct from the RAMP seizure. A different, unrelated incident involved a **supply-chain compromise of eScan antivirus** update infrastructure in which attackers briefly pushed a backdoor via a trojanized `Reload.exe` that altered update settings, established persistence via a scheduled task, and contacted a C2 to retrieve additional payloads; this event is not connected to the RAMP takedown and should be tracked independently as a vendor update-channel compromise affecting customer environments.
1 months ago