The LeakBase cyberforum, considered one of the worldâs largest online marketplaces for cybercriminals to buy and sell stolen data and cybercrime tools, has been seized by the US, and arrests have also been made in other countries.
The US Department of Justice said Thursday that earlier this week, law enforcement agencies in 14 countries took synchronized action against the site and its 142,000 users, capturing its data and two of the domains used by the forum. Law enforcement also executed search warrants, made arrests, and conducted interviews in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom.
âPrevention messagesâ were also sent to LeakBase members.
According to the US and Europol, the European police co-operative, the captured database included credential pairs (usernames and associated passwords), credit and debit card numbers, and bank account and routing information, as well as other sensitive business and personally identifiable information.
The action started March 3, when around 100 enforcement actions, including arrests and house searches, were conducted worldwide. These included measures against 37 of the most active LeakBase users. The so-called technical phase, the seizure of the forumâs domain and database, took place the next day. That, Europol said, enabled the unmasking of multiple users who believed they were operating anonymously.
âBy contacting suspects through their preferred digital platforms, investigators delivered a clear message: no one is truly invisible online,â said Europol.
Law enforcement authorities are proactively continuing to trace digital trails to unmask additional offenders and establish their real-world identities, it added.
Sending a strong signal to cybercriminals
However, one expert says IT leaders shouldnât hold out much hope that, with this data, law enforcement authorities may be able to warn organizations that theyâve been hacked, or use the data to help victim firms plug vulnerabilities.
âIn the current climate of the geopolitical turbulence, data sharing between law enforcement and private sector is quite unlikely,â said Ilia  Kolochenko, CEO of Swiss-based Immuniweb. âMoreover, in many jurisdictions, such data sharing may be illegal as it almost inevitably contains data stolen from third parties.â
While this operation âmarks another remarkable victory of law enforcement over global cybercrime,â he added, âpractical benefits will probably remain modest.
âFirst, the most dangerous and active cyber mercenaries and state-backed hacking groups are well prepared for a possible seizure of such marketplaces, and leave virtually no digital traces or other incriminating evidence that could help identify them.
âSecond, even if due to a mistake or omission some cybercriminals will be unmasked, most of them enjoy immunity in non-extradition jurisdictions. Finally, clandestine operators of such marketplaces almost always have a backup and Plan B, swiftly resurrecting like a hydra within several days or weeks.
âIn sum, while this operation sends a strong signal that cyber offenders will be prosecuted, global cybercrime will continue as usual,â he said.
Garrett Carstens, senior vice-president of intel operations at Intel 471, said CSOs should view the LeakBase takedown as a positive development, but not as a decisive one or one that will translate into easily measurable reduction in cyber risk on its own. âTakedowns can create short-term disruption, intelligence opportunities, and friction for criminals,â he said, âyet the ecosystem typically adapts quickly via migration to other forums or more resilient distribution channels, such as Telegram.â
Itâs good news tactically, he said, but it will have limited strategic impact unless paired with follow-on actions such as arrests, financial interdiction, or other forms of sustained pressure.
Carstens said to evaluate whether this, or other, takedowns matter for their organization, infosec leaders could track various metrics including, but not limited to, recent fraud activity such as credential-stuffing and account takeover attempts, how quickly any known exposed data appears on alternate forums/Telegram after a disruption, and the appearance of new phishing kits, new proxy services, and new bot patterns after a takedown.
Global effort
Thanks to international co-operation, a number of criminal marketplaces have been seized in recent years, including BreachForums and RaidForums.
Law enforcement agencies involved in various ways in this weekâs takedown came from Australia, Belgium, Canada, Germany, Greece, Kosovo, Malaysia, Netherlands, Poland, Portugal, Romania, Spain, the United Kingdom and the US.
News of the seizure comes the day after the IT infrastructure hosting the Tycoon2FA phishing-as-a-service operation was dismantled.
The takedown of LeakBase âdisrupts a major international platform that cybercriminals use to obtain and profit from the theft of sensitive personal, banking and account credentials,â said US assistant attorney general A. Tysen Duva. âThis operation illustrates the strength of the United States and our international partners working across the globe to dismantle a critical cybercriminal forum.â
In a statement, Edvardas Ĺ ileris, head of Europolâs European Cybercrime Centre, said the operation âshows that no corner of the internet is beyond the reach of international law enforcement. What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable. This is a clear message to cybercriminals everywhere: if you traffic in other peopleâs stolen information, law enforcement will find you and bring you to justice.â
