Global law enforcement disables LeakBase, shutters malware networks in sweep

International law enforcement agencies and private cyber-defense teams carried out a concentrated wave of takedowns that seized assets tied to LeakBase and rendered large swaths of criminal infrastructure nonoperational, officials and industry analysts said. The actions, concentrated over a few days and within a broader six-week campaign, disrupted marketplaces, malware loaders, infostealers, crypting and counter-antivirus services, ransomware infrastructure and DDoS-for-hire operations.

The campaign targeted tens of thousands of malicious IP addresses and domains, along with command-and-control systems and criminal accounts used to advertise illicit services and initiate attacks. Some, but not all, of the takedowns were part of Operation Endgame, a broad, ongoing international law enforcement effort to dismantle and prosecute cybercriminal organizations; other actions were taken in coordination with Operation PowerOFF and Operation Secure. Agencies involved included the FBI, Interpol, Europol and cybersecurity vendors operating alongside law enforcement partners in dozens of countries.

The original reporting identified seizures tied to LeakBase, described in law enforcement material as a vast stolen-data marketplace, and noted actions against an entity named Tyco, although the available description of Tyco was truncated and requires clarification. Beyond those named targets, investigators removed or disrupted infrastructure supporting prolific infostealers, malware loaders, counter-antivirus and crypting services, and more, law enforcement and industry participants said.

“It’s been really energizing to see the volume and velocity of these takedowns in such a short period of time,” Flashpoint CEO Josh Lefkowitz said, praising the pace of enforcement. “I can’t think of such a flurry and rapid succession, and then magnified by complementary takedowns by Europol and international partners,” he added. “It’s been a great couple of weeks for the good guys, and I wouldn’t be surprised if there’s more around the horizon.”

Industry analysts described the operations as a coordinated assault on the cybercrime ecosystem that underpins the most damaging attacks. “Collectively, these actions target the ecosystem that supports the most impactful cyberattacks,” Selena Larson, senior threat intelligence analyst at Proofpoint, said. “Any disruption is a win. I always get so happy to see any disruption. So I have been just so stoked the last couple of weeks.”

The combined law enforcement and private actions produced takedowns, seizures, indictments and arrests, officials said, though public details tying individual legal actions to specific targets such as LeakBase or Tyco have not been released. Security experts said they are heartened by how private industry, the FBI, Interpol, Europol and dozens of countries are pooling resources, sharing intelligence and collaborating to thwart cybercrime.

Gaps in public reporting remain significant. Authorities have not published lists of seized domains or IPs, nor have they clarified which agencies led the LeakBase and Tyco actions, whether data were preserved for victims, or whether charges have been filed against named operators. Investigators and vendors involved in the operations are expected to release more detailed briefings as cases move through legal channels.

For now, defenders say the campaign is a tactical win: multiple criminal services were disrupted simultaneously, infrastructure used to distribute and manage malware was degraded, and international coordination has been validated. The operation marks a notable escalation in transnational efforts to dismantle the commercial underpinnings of cybercrime, with officials signaling that further coordinated actions are likely.