Russian law enforcement has arrested the suspected administrator of LeakBase, a cybercrime forum used to trade stolen personal data. The suspect, from Taganrog, is accused of running the platform since 2021. During a search of his home, authorities seized technical equipment and other evidence linked to the operation.
“Police have detained a Taganrog resident suspected of administering LeakBase, one of the largest hacker platforms. Law enforcement officials told TASS.” reported the Russian agency TASS. The detained Taganrog resident is suspected of administering “one of the largest international hacker platforms, LeakBase,” the agency’s source said.”
Active for four years, the platform had over 147,000 users who bought, sold, and used the data for fraud. A criminal case has been opened, and the suspect is in custody.
In early March, the Federal Bureau of Investigation seized the LeakBase cybercrime forum (leakbase[.]la), a platform used to trade hacking tools and stolen data. The action formed part of “Operation Leak,” an international effort coordinated by Europol involving authorities from 14 countries, who took control of the forum’s domains and posted seizure notices.
Active since 2021, LeakBase became a key hub in the cybercrime ecosystem, specializing in trading leaked databases and “stealer logs” containing credentials stolen by infostealer malware. Operating openly in English, the forum combined marketplace and discussion features, allowing cybercriminals to buy, sell, and exchange compromised data.
On March 3, law enforcement agencies carried out coordinated actions worldwide, including arrests, house searches, and about 100 interventions targeting 37 of the most active users of the LeakBase forum. The next day, law enforcement seized the platform’s domain and replaced it with a law-enforcement notice, marking the start of the disruption phase. Investigators now move into a prevention stage focused on deterring cybercrime and raising awareness.
Europol supported the operation by mapping the forum’s infrastructure and analyzing user activity, linking suspects, victims, and evidence across borders. Specialists at Europol’s headquarters in The Hague examined seized data and generated investigative leads. The effort took place within the Joint Cybercrime Action Taskforce, while a Joint Command Post coordinated real-time intelligence sharing during the global action.
Authorities seized the LeakBase database, allowing investigators to deanonymize multiple users who believed they operated anonymously. Officers also contacted suspects through the same online channels used for criminal activity, sending a clear warning that anonymity online is limited.
Investigators continue tracing digital evidence to identify additional offenders. The operation also highlights how stolen data from breaches often resurfaces on cybercrime forums and fuels scams, identity theft, account takeovers, and phishing, underscoring the importance of strong passwords and multi-factor authentication.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, LeakBase cybercrime forum)
The Federal Bureau of Investigation seized the LeakBase cybercrime forum (leakbase[.]la), a platform used to trade hacking tools and stolen data. The action formed part of “Operation Leak,” an international effort coordinated by Europol involving authorities from 14 countries, who took control of the forum’s domains and posted seizure notices.
Active since 2021, LeakBase became a key hub in the cybercrime ecosystem, specializing in trading leaked databases and “stealer logs” containing credentials stolen by infostealer malware. Operating openly in English, the forum combined marketplace and discussion features, allowing cybercriminals to buy, sell, and exchange compromised data.
“Active since 2021, LeakBase maintained a vast and continuously updated archive of breached databases, ranging from historical leaks to newly compromised data.” reads the press release published by Europol. “By December 2025, LeakBase counted more than 142 000 registered users, approximately 32 000 posts and over 215 000 private messages, underlining its scale and global reach.”
On March 3, law enforcement agencies carried out coordinated actions worldwide, including arrests, house searches, and about 100 interventions targeting 37 of the most active users of the LeakBase forum. The next day, law enforcement seized the platform’s domain and replaced it with a law-enforcement notice, marking the start of the disruption phase. Investigators now move into a prevention stage focused on deterring cybercrime and raising awareness.
Europol supported the operation by mapping the forum’s infrastructure and analyzing user activity, linking suspects, victims, and evidence across borders. Specialists at Europol’s headquarters in The Hague examined seized data and generated investigative leads. The effort took place within the Joint Cybercrime Action Taskforce, while a Joint Command Post coordinated real-time intelligence sharing during the global action.
On March 3, law enforcement agencies carried out coordinated actions worldwide, including arrests, house searches, and about 100 interventions targeting 37 of the most active users of the LeakBase forum. The next day, authorities seized the platform’s domain and replaced it with a law-enforcement notice, marking the start of the disruption phase. Investigators now move into a prevention stage focused on deterring cybercrime and raising awareness.
Europol supported the operation by mapping the forum’s infrastructure and analyzing user activity, linking suspects, victims, and evidence across borders. Specialists at Europol’s headquarters in The Hague examined seized data and generated investigative leads. The effort took place within the Joint Cybercrime Action Taskforce, while a Joint Command Post coordinated real-time intelligence sharing during the global action.
Authorities seized the LeakBase database, allowing investigators to deanonymize multiple users who believed they operated anonymously. Officers also contacted suspects through the same online channels used for criminal activity, sending a clear warning that anonymity online is limited.
Investigators continue tracing digital evidence to identify additional offenders. The operation also highlights how stolen data from breaches often resurfaces on cybercrime forums and fuels scams, identity theft, account takeovers, and phishing, underscoring the importance of strong passwords and multi-factor authentication.
Authorities from 14 countries participated in the investigation: Australia, Belgium, Canada, Germany, Greece, Kosovo, Malaysia, the Netherlands, Poland, Portugal, Romania, Spain, the United Kingdom, and the United States.
“This operation shows that no corner of the internet is beyond the reach of international law enforcement. What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable. This is a clear message to cybercriminals everywhere: if you traffic in other people’s stolen information, law enforcement will find you and bring you to justice.” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, LeakBase cybercrime forum)
Image Source: Europol[/caption]
Over time, LeakBase developed a structured system that helped it grow rapidly. The forum used a credit-based economy and reputation system, allowing users to build credibility within the community and gain access to more valuable data. This system helped maintain trust among offenders and kept the marketplace active.
Despite being an international platform, LeakBase reportedly had an internal rule that prohibited the sale or publication of data related to Russia, highlighting the unusual dynamics that sometimes exist within cybercrime networks.
By December 2025, the forum had accumulated more than 142,000 registered users, around 32,000 posts, and over 215,000 private messages, underscoring its role as a major player in the underground data-trading ecosystem.
Entrar