FBI and Europol lead 14-country takedown of LeakBase forum

Law enforcement in 14 countries carried out a coordinated takedown of LeakBase on March 3 and 4, shutting the forum and seizing large troves of data and two domain names in an operation hosted by Europol in The Hague. Authorities posted seizure banners on the site, sent prevention messages to members and collected additional evidence, officials said.

LeakBase has been described as one of the world’s largest online forums for cybercriminals and, according to an original report, maintained an archive of hacked databases containing “hundreds of millions of passwords.” The Department of Justice and the FBI said the operation was aimed at removing a widely used point of access to stolen information affecting American businesses and individuals.

Officials said the takedown involved seizing users’ accounts, posts, credit details, private messages and IP logs for evidentiary purposes. Law enforcement executed search warrants, made arrests and conducted interviews in several countries, with actions explicitly reported in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain and the United Kingdom. The full list of the 14 participating countries has not been released.

Speaking on the operation, Assistant Director Brett Leatherman of the FBI’s Cyber Division said, “The FBI, Europol, and law enforcement agencies from around the world executed a takedown of LeakBase, one of the largest online cybercriminal platforms, seizing users’ accounts, posts, credit details, private messages, and IP logs for evidentiary purposes. Together with our partners, we are sending a message that no criminal is truly anonymous online and removing an easy point of access to stolen information on American businesses and individuals. The FBI will continue to defend the homeland by dismantling the key services that cybercriminals use to facilitate their attacks.”

Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division added, “The takedown of this cyber forum disrupts a major international platform that cybercriminals use to obtain and profit from the theft of sensitive personal, banking and account credentials. This operation illustrates the strength of the United States and our international partners working across the globe to dismantle a critical cybercriminal forum. The Criminal Division will continue to leverage our international relationships to protect victim personal and account information from falling into the hands of transnational criminal organizations.”

Investigators posted seizure banners on the forum and delivered preventative notices to users to limit further harm while collecting evidence stored on the site, the DOJ said. Two domain names used by the forum were seized as part of the action; authorities have not disclosed the domain names.

Authorities have confirmed arrests and interviews took place but have not released the number of arrests, the identities of suspects or whether charges have been filed. Officials have also not detailed the full scope of datasets removed beyond the description in the original report that the site’s archive included “hundreds of millions of passwords,” nor have they published a complete list of the 14 countries involved.

The operation is the latest multilateral effort to dismantle online marketplaces for stolen credentials and hacking tools. Investigators and prosecutors now face the task of analyzing the seized accounts, messages and logs to identify perpetrators, notify victims and assess what additional criminal or civil actions may follow.