International Law Enforcement Seizes 8Base Ransomware Gang’s Leak Site

International law enforcement agencies have taken down the dark web leak site of the 8Base ransomware gang as part of a coordinated operation, leading to the arrest of four Russian nationals.

A message displayed on the seized site, which was first spotted on the site on Monday February 10 states “This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg.” According to the notice, authorities from Europe, Japan, the U.S., and the U.K. participated in the operation:

• Belgium: Federal Police.
• Czechia: Police of the Czech Republic.
• France: Paris Cybercrime Unit.
• Germany: Bavarian State Criminal Police Office.
• Japan: National Police Agency.
• Poland: Central Cybercrime Bureau.
• Romania: Romanian Police.
• Singapore: Singapore Police Force CyberCrime Command.
• Spain: Guardia Civil.
• Sweden: Swedish Police Authority.
• Switzerland: Office of the Attorney General of Switzerland, Federal Police.
• Thailand: Cyber Crime Investigation Bureau.
• United Kingdom: National Crime Agency.
• United States: US Department of Justice, Federal Bureau of Investigation, US Department of Defense Cyber Crime Center.

As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks.

Law enforcement agency Europol played a crucial role in coordinating enforcement actions. Since February 2019, Europol’s European Cybercrime Centre has:

• Brought together intelligence from parallel investigations, ensuring that law enforcement authorities targeting Phobos and 8Base could pool their findings and coordinate arrests efficiently.
• Organized 37 operational meetings and technical sprints to develop key investigative leads.
• Provided analytical, crypto-tracing and forensic expertise to support the case.
• Facilitated intelligence exchange within the Joint Cybercrime Action Taskforce (J-CAT), hosted at its headquarters.
• Exchanged nearly 600 operational messages via Europol’s secure SIENA network, making this one of EC3’s high-priority cases.

The 8Base ransomware gang, a financially motivated hacking group first identified in 2022, has been linked to the RansomHouse extortion operation. Known for employing double-extortion tactics, the group encrypts victims’ data and threatens to expose it unless a ransom is paid. In 2023, the U.S. government warned that 8Base was indiscriminately targeting multiple sectors, particularly in the U.S., including healthcare.

The gang also claimed responsibility for a cyberattack on the United Nations Development Programme in 2024.

Before the takedown, 8Base described itself on its dark web leak site as “honest and simple pentesters.” Similar to Cl0p ransomware gang, it claimed to target only organizations that “neglected the privacy and importance of the data of their employees and customers.”

8Base has been known to use various ransomware strains in its attacks, including Phobos. Last year, the U.S. government secured the extradition of an alleged hacker accused of being a key administrator in the Phobos ransomware operation.