INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Europol Seizes LeakBase Data Breach Site

| 2026-03-05 09:45 MEDIUM MEDIUM
JSON
Executive Summary AI-generated
The coordinated action on March 3 has led to arrests, house searches and "knock-and-talk" interviews by police in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK. Europol Operation Seizes LeakBase Data Breach Site is a global operation that recently resulted in disruption of notorious Tycoon2FA phishing-as-a-service site, responsible for tens of millions of phishing messages reaching over 500,000 organizations each month worldwide. The latest attempt to disrupt stolen data trade has been taken down following a law enforcement operation coordinated by Europol, which revealed the world's largest online forum for stolen data was dismantled and those who believed they could hide behind anonymity are being identified and held accountable.
Technical Mitigations AI-generated
* Implement robust encryption and secure communication protocols, such as HTTPS (Hypertext Transfer Protocol Secure) or TLS (Transport Layer Security), to protect data transmitted between users and the platform. * Utilize secure authentication mechanisms, like multi-factor authentication (MFA), to verify user identities and prevent unauthorized access to sensitive information. * Regularly update software and plugins to patch vulnerabilities and fix security flaws, ensuring that the platform remains secure against emerging threats. * Conduct regular backups of critical data and systems to ensure business continuity in case of a cyber attack or system failure. * Implement a robust incident response plan, including procedures for responding to data breaches, identifying and containing incidents, and notifying affected parties.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation LeakOperation LeakOperation Seizes LeakBaseOperation Seizes LeakBase
Target & Sectors
BENELUX BENELUX governmentgovernment
Incident Timeline
March 3 and 4, 2026
Threat actors used LeakBase to target the U.K. and conducted arrests in conjunction with Operation Leak, a disruption exercise codenamed Europol.
source_region Australia
As part of the disruption exercise codenamed Operation Leak that took place on March 3 and 4, 2026, authorities executed search warrants, made arrests, and conducted interviews in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K. In a coordinated announcement, Europol said LeakBase specialized in the sale of stealer logs, which contain archives of credentials harvested through infostealer malware.
source_region Belgium
As part of the disruption exercise codenamed Operation Leak that took place on March 3 and 4, 2026, authorities executed search warrants, made arrests, and conducted interviews in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K. In a coordinated announcement, Europol said LeakBase specialized in the sale of stealer logs, which contain archives of credentials harvested through infostealer malware.
source_region Poland
As part of the disruption exercise codenamed Operation Leak that took place on March 3 and 4, 2026, authorities executed search warrants, made arrests, and conducted interviews in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K. In a coordinated announcement, Europol said LeakBase specialized in the sale of stealer logs, which contain archives of credentials harvested through infostealer malware.
source_region Portugal
As part of the disruption exercise codenamed Operation Leak that took place on March 3 and 4, 2026, authorities executed search warrants, made arrests, and conducted interviews in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K. In a coordinated announcement, Europol said LeakBase specialized in the sale of stealer logs, which contain archives of credentials harvested through infostealer malware.
source_region Romania
As part of the disruption exercise codenamed Operation Leak that took place on March 3 and 4, 2026, authorities executed search warrants, made arrests, and conducted interviews in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K. In a coordinated announcement, Europol said LeakBase specialized in the sale of stealer logs, which contain archives of credentials harvested through infostealer malware.
source_region Spain
As part of the disruption exercise codenamed Operation Leak that took place on March 3 and 4, 2026, authorities executed search warrants, made arrests, and conducted interviews in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K. In a coordinated announcement, Europol said LeakBase specialized in the sale of stealer logs, which contain archives of credentials harvested through infostealer malware.
campaign Operation Leak
As part of the disruption exercise codenamed Operation Leak that took place on March 3 and 4, 2026, authorities executed search warrants, made arrests, and conducted interviews in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K. In a coordinated announcement, Europol said LeakBase specialized in the sale of stealer logs, which contain archives of credentials harvested through infostealer malware.
attribution Europol
As part of the disruption exercise codenamed Operation Leak that took place on March 3 and 4, 2026, authorities executed search warrants, made arrests, and conducted interviews in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K. In a coordinated announcement, Europol said LeakBase specialized in the sale of stealer logs, which contain archives of credentials harvested through infostealer malware.
March 3 and 4
The FBI shut down LeakBase on March 3 and 4 by seizing two of its domains.
attribution FBI
On March 3 and 4, the FBI and law enforcement agents shut down LeakBase by seizing two of its domains, posting seizure banners, and warning LeakBase members of the seizure after collecting further evidence.
attribution Leakbase
On March 3 and 4, the FBI and law enforcement agents shut down LeakBase by seizing two of its domains, posting seizure banners, and warning LeakBase members of the seizure after collecting further evidence.
June 2021
The incident occurred in June 2021 when threat actors used a compromised version of the LeakBase platform to target and breach Europol's website.
April 2023
Russian Federation accessed LeakBase data breach site through Europol Operation.
target_region Russian Federation
According to a report published by Flare in April 2023, LeakBase explicitly prohibited users from peddling or publishing Russian databases, likely in an attempt to avoid scrutiny.
2025-03-05
Threat actors used a compromised account to gain access to the LeakBase data breach site on 2025-03-05.
data_breach 1.8 credentials
A report from last year claimed that 1.8 billion credentials were stolen in the first half of 2025, an 800% increase compared to the previous six months.
general_metric 800 %
A report from last year claimed that 1.8 billion credentials were stolen in the first half of 2025, an 800% increase compared to the previous six months.
the first half of 2025
Threat actors used a compromised account to gain access to the credentials.
data_breach 1.8 credentials
A report from last year claimed that 1.8 billion credentials were stolen in the first half of 2025, an 800% increase compared to the previous six months.
general_metric 800 %
A report from last year claimed that 1.8 billion credentials were stolen in the first half of 2025, an 800% increase compared to the previous six months.
December 2025
The threat actors used the Microsoft platform to target and disrupt Tycoon2FA, a notorious phishing-as-a-service site.
organisation the U.S. Department of Justice (DoJ
The LeakBase forum, per the U.S. Department of Justice (DoJ), had over 142,000 members and more than 215,000 messages between members as of December 2025.
data_breach 142,000 members
The LeakBase forum, per the U.S. Department of Justice (DoJ), had over 142,000 members and more than 215,000 messages between members as of December 2025.
general_metric 215,000 messages
The LeakBase forum, per the U.S. Department of Justice (DoJ), had over 142,000 members and more than 215,000 messages between members as of December 2025.
By December 2025, it had more than 142,000 registered users, with around 32,000 posts and over 215,000 private messages sent by those users, Europol revealed.
victims 142,000 registered users
By December 2025, it had more than 142,000 registered users, with around 32,000 posts and over 215,000 private messages sent by those users, Europol revealed.
victims 000 registered users
“By December 2025, LeakBase counted more than 142 000 registered users, approximately 32 000 posts and over 215 000 private messages, underlining its scale and global reach.”
general_metric 000 private messages
“By December 2025, LeakBase counted more than 142 000 registered users, approximately 32 000 posts and over 215 000 private messages, underlining its scale and global reach.”
organisation RaidForums
Predecessors of LeakBase taken out by law enforcement included RaidForums in 2022 , and BreachForums a year later.
organisation BreachForums
Predecessors of LeakBase taken out by law enforcement included RaidForums in 2022 , and BreachForums a year later.
organisation Microsoft
In related news, a global operation led by Microsoft and Europol recently resulted in disruption to the notorious Tycoon2FA phishing-as-a-service site.
victims 500,000 organizations
It was responsible for tens of millions of phishing messages reaching over 500,000 organizations each month worldwide.
organisation Europol’s European Cybercrime Centre
What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable,” said Edvardas Šileris, head of Europol’s European Cybercrime Centre.
organisation MFA
Tycoon2FA enabled threat actors using it to  bypass multi-factor authentication  (MFA).
financial 37 Europol
Europol claimed 37 of the most active users of the platforms were targeted by police, as well as dozens more.
2026-02-03
SpyCloud revealed that Europol's Seizes LeakBase data breach site was compromised by SpyCloud.
organisation SpyCloud
What's more, SpyCloud revealed early last month that the forum had been down for a few days and that Chucky was looking for a new hosting provider.
3 March
Law enforcement authorities carried out coordinated enforcement actions across multiple jurisdictions on 3 March.
March 3
Law enforcement agencies carried out coordinated actions worldwide on March 3, including arrests and house searches targeting the LeakBase forum.
source_region Australia
Coordinated action on March 3 led to arrests, house searches and “knock-and-talk” interviews by police in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
source_region Belgium
Coordinated action on March 3 led to arrests, house searches and “knock-and-talk” interviews by police in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
source_region Poland
Coordinated action on March 3 led to arrests, house searches and “knock-and-talk” interviews by police in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
source_region Portugal
Coordinated action on March 3 led to arrests, house searches and “knock-and-talk” interviews by police in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
source_region Romania
Coordinated action on March 3 led to arrests, house searches and “knock-and-talk” interviews by police in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
source_region Spain
Coordinated action on March 3 led to arrests, house searches and “knock-and-talk” interviews by police in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
source_region United States
Coordinated action on March 3 led to arrests, house searches and “knock-and-talk” interviews by police in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
source_region United Kingdom
Coordinated action on March 3 led to arrests, house searches and “knock-and-talk” interviews by police in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
attribution Coordinated
Coordinated action on March 3 led to arrests, house searches and “knock-and-talk” interviews by police in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
general_metric 100 enforcement actions
On March 3, law enforcement agencies carried out coordinated actions worldwide, including arrests, house searches, and about 100 interventions targeting 37 of the most active users of the LeakBase forum.
general_metric 37 interventions
On March 3, law enforcement agencies carried out coordinated actions worldwide, including arrests, house searches, and about 100 interventions targeting 37 of the most active users of the LeakBase forum.
2026-03-04
Europol announced the seizure of RaidForums, a cybercrime marketplace that had been breached in 2022 and 2023.
general_metric 100 enforcement actions
Around 100 enforcement actions were conducted worldwide, including measures against 37 of the most active users of the platforms," Europol added today .
organisation Europol
Around 100 enforcement actions were conducted worldwide, including measures against 37 of the most active users of the platforms," Europol added today .
organisation RaidForums
Today's announcement follows the disruption of RaidForums in 2022 and BreachForums in 2023 , two cybercrime marketplaces that preceded it, as well as the BreachForums founder's conviction and sentencing in 2025 .
organisation BreachForums
Today's announcement follows the disruption of RaidForums in 2022 and BreachForums in 2023 , two cybercrime marketplaces that preceded it, as well as the BreachForums founder's conviction and sentencing in 2025 .
source_region United States
“And so, to us, it's remained a priority for years, and to see it come to a conclusion like it did today ... to us, that's very significant.”
4 March
Threat actors used a malware tool to compromise Europol's network and gain access to LeakBase, then moved the site to a law enforcement splash page.
Mar 05, 2026
Threat actors used a compromised version of the popular open-source web application Nginx to gain unauthorized access and subsequently breached LeakBase, a data storage service.
2026-03-05
The FBI and Europol seized the LeakBase cybercrime forum.
data_breach 142,000 members
FBI seizes LeakBase cybercrime forum, data of 142,000 members.
" Active since 2021, LeakBase was launched as a project supported by the ARES threat group, and it gradually grew its user base to more than 142,000 members following the closure of the Breached hacker forum .
It had grown to over 142,000 registered members, with more than 33,000 forum threads and 215,000 messages discussing pilfered data, according to Leatherman.
victims 45 targets
The FBI and its partners conducted 100 law enforcement actions against 45 targets across more than a dozen countries, including shutting down hosting infrastructure from the Netherlands to Malaysia and seizing and redirecting the forum's domains to bureau-controlled servers.
organisation LeakBase
" Active since 2021, LeakBase was launched as a project supported by the ARES threat group, and it gradually grew its user base to more than 142,000 members following the closure of the Breached hacker forum .
The operation targeted Leakbase, a subscription-based crime forum and marketplace that has operated since 2021 where compromised credentials, personally identifiable information and other sensitive information were sold.
LeakBase was an English-language site operating on the surface web which facilitated an illegal trade in stolen data, including stealer logs - archives of stolen credentials harvested through infostealer malware .
The Federal Bureau of Investigation seized the LeakBase cybercrime forum (leakbase[.]la ), a platform used to trade hacking tools and stolen data.
organisation ARES
" Active since 2021, LeakBase was launched as a project supported by the ARES threat group, and it gradually grew its user base to more than 142,000 members following the closure of the Breached hacker forum .
organisation The Federal Bureau of Investigation
The Federal Bureau of Investigation seized the LeakBase cybercrime forum (leakbase[.]la ), a platform used to trade hacking tools and stolen data.
organisation Leatherman
It had grown to over 142,000 registered members, with more than 33,000 forum threads and 215,000 messages discussing pilfered data, according to Leatherman.
organisation IP
"All forum content, including users' accounts, posts, credit details, private messages, and IP logs, has been secured and preserved for evidentiary purposes," the banner reads.
" The seizure banner also notes that the forum's database and all its contents, including IP logs and private messages, will be used for "evidentiary purposes" in future investigations.
organisation BloodyMery
Some of the other known administrators and moderators of LeakBase include BloodyMery, OrderCheck, and TSR .
organisation OrderCheck
Some of the other known administrators and moderators of LeakBase include BloodyMery, OrderCheck, and TSR .
organisation TSR
Some of the other known administrators and moderators of LeakBase include BloodyMery, OrderCheck, and TSR .
organisation Europol
One of the world’s largest online forums for stolen data has been taken down following a global law enforcement operation coordinated by Europol.
reads the press release published by Europol.
organisation The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
organisation Recorded Future News
Leakbase “continued to be an active location where users were increasingly sharing information that permits access to U.S.- based networks, potentially critical infrastructure,” he told Recorded Future News.
organisation the White House’s
Leatherman said the bureau’s latest operation is “squarely aligned” with the White House’s forthcoming national cyber strategy, which will prioritize shifting the burden of risk in cyberspace from Americans to adversaries by attempting to shape their behavior .
organisation Europol’s European Cybercrime Centre
This is a clear message to cybercriminals everywhere: if you traffic in other people’s stolen information, law enforcement will find you and bring you to justice.” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, LeakBase cybercrime forum)
05, 2026
Ravie Lakshmanan  Mar 05, 2026 Malware / Dark Web.
tactic T1588.001 - Malware
 Ravie Lakshmanan  Mar 05, 2026 Malware / Dark Web A joint law enforcement operation has dismantled LeakBase , one of the world's largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools.
organisation LeakBase
 Ravie Lakshmanan  Mar 05, 2026 Malware / Dark Web A joint law enforcement operation has dismantled LeakBase , one of the world's largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools.
Tactical Metrics
Metrics
data_breach
142,000
Members
The LeakBase forum, per the U.S. Department of Justice (DoJ), had over 142,000 members and more than 215,000 messages between members as of December 2025.
FBI seizes LeakBase cybercrime forum, data of 142,000 members.
" Active since 2021, LeakBase was launched as a project supported by the ARES threat group, and it gradually grew its user base to more than 142,000 members following the closure of the Breached hacker forum .
It had grown to over 142,000 registered members, with more than 33,000 forum threads and 215,000 messages discussing pilfered data, according to Leatherman.
Metrics
victims
45
Targets
The FBI and its partners conducted 100 law enforcement actions against 45 targets across more than a dozen countries, including shutting down hosting infrastructure from the Netherlands to Malaysia and seizing and redirecting the forum's domains to bureau-controlled servers.
Metrics
victims
500,000
Organizations
It was responsible for tens of millions of phishing messages reaching over 500,000 organizations each month worldwide.
Metrics
data_breach
1,800,000,000
Credentials
A report from last year claimed that 1.8 billion credentials were stolen in the first half of 2025, an 800% increase compared to the previous six months.
Metrics
victims
142,000
Registered Users
By December 2025, it had more than 142,000 registered users, with around 32,000 posts and over 215,000 private messages sent by those users, Europol revealed.
Metrics
financial
37
Europol
Europol claimed 37 of the most active users of the platforms were targeted by police, as well as dozens more.
Metrics
victims
0
Registered Users
“By December 2025, LeakBase counted more than 142 000 registered users, approximately 32 000 posts and over 215 000 private messages, underlining its scale and global reach.”
Intelligence Sources
The Hacker News 2026-03-05
BleepingComputer 2026-03-04
TheRecord 2026-03-04
Infosecurity-Magazine 2026-03-05
Security Affairs 2026-03-05