The LeakBase cyberforum, considered one of the world’s largest online marketplaces for cybercriminals to buy and sell stolen data and cybercrime tools, has been seized by the US, and arrests have also been made in other countries.
The US Department of Justice said Thursday that earlier this week, law enforcement agencies in 14 countries took synchronized action against the site and its 142,000 users, capturing its data and two of the domains used by the forum. Law enforcement also executed search warrants, made arrests, and conducted interviews in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom.
“Prevention messages” were also sent to LeakBase members.
According to the US and Europol, the European police co-operative, the captured database included credential pairs (usernames and associated passwords), credit and debit card numbers, and bank account and routing information, as well as other sensitive business and personally identifiable information.
The action started March 3, when around 100 enforcement actions, including arrests and house searches, were conducted worldwide. These included measures against 37 of the most active LeakBase users. The so-called technical phase, the seizure of the forum’s domain and database, took place the next day. That, Europol said, enabled the unmasking of multiple users who believed they were operating anonymously.
“By contacting suspects through their preferred digital platforms, investigators delivered a clear message: no one is truly invisible online,” said Europol.
Law enforcement authorities are proactively continuing to trace digital trails to unmask additional offenders and establish their real-world identities, it added.
Sending a strong signal to cybercriminals
However, one expert says IT leaders shouldn’t hold out much hope that, with this data, law enforcement authorities may be able to warn organizations that they’ve been hacked, or use the data to help victim firms plug vulnerabilities.
“In the current climate of the geopolitical turbulence, data sharing between law enforcement and private sector is quite unlikely,” said Ilia Kolochenko, CEO of Swiss-based Immuniweb. “Moreover, in many jurisdictions, such data sharing may be illegal as it almost inevitably contains data stolen from third parties.”
While this operation “marks another remarkable victory of law enforcement over global cybercrime,” he added, “practical benefits will probably remain modest.
“First, the most dangerous and active cyber mercenaries and state-backed hacking groups are well prepared for a possible seizure of such marketplaces, and leave virtually no digital traces or other incriminating evidence that could help identify them.
“Second, even if due to a mistake or omission some cybercriminals will be unmasked, most of them enjoy immunity in non-extradition jurisdictions. Finally, clandestine operators of such marketplaces almost always have a backup and Plan B, swiftly resurrecting like a hydra within several days or weeks.
“In sum, while this operation sends a strong signal that cyber offenders will be prosecuted, global cybercrime will continue as usual,” he said.
Garrett Carstens, senior vice-president of intel operations at Intel 471, said CSOs should view the LeakBase takedown as a positive development, but not as a decisive one or one that will translate into easily measurable reduction in cyber risk on its own. “Takedowns can create short-term disruption, intelligence opportunities, and friction for criminals,” he said, “yet the ecosystem typically adapts quickly via migration to other forums or more resilient distribution channels, such as Telegram.”
It’s good news tactically, he said, but it will have limited strategic impact unless paired with follow-on actions such as arrests, financial interdiction, or other forms of sustained pressure.
Carstens said to evaluate whether this, or other, takedowns matter for their organization, infosec leaders could track various metrics including, but not limited to, recent fraud activity such as credential-stuffing and account takeover attempts, how quickly any known exposed data appears on alternate forums/Telegram after a disruption, and the appearance of new phishing kits, new proxy services, and new bot patterns after a takedown.
Global effort
Thanks to international co-operation, a number of criminal marketplaces have been seized in recent years, including BreachForums and RaidForums.
Law enforcement agencies involved in various ways in this week’s takedown came from Australia, Belgium, Canada, Germany, Greece, Kosovo, Malaysia, Netherlands, Poland, Portugal, Romania, Spain, the United Kingdom and the US.
News of the seizure comes the day after the IT infrastructure hosting the Tycoon2FA phishing-as-a-service operation was dismantled.
The takedown of LeakBase “disrupts a major international platform that cybercriminals use to obtain and profit from the theft of sensitive personal, banking and account credentials,” said US assistant attorney general A. Tysen Duva. “This operation illustrates the strength of the United States and our international partners working across the globe to dismantle a critical cybercriminal forum.”
In a statement, Edvardas Šileris, head of Europol’s European Cybercrime Centre, said the operation “shows that no corner of the internet is beyond the reach of international law enforcement. What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable. This is a clear message to cybercriminals everywhere: if you traffic in other people’s stolen information, law enforcement will find you and bring you to justice.”
No Responses