FBI, Europol, and NCA Take Down 8Base Ransomware Data Leak and Negotiation Sites

Source: The Nation

A coordinated law enforcement operation has taken down the dark web data leak and negotiation sites associated with the 8Base ransomware gang.

Visitors to the data leak site are now greeted with a seizure banner that says: "This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg."

The takedown involved the U.K. National Crime Agency (NCA), the U.S. Federal Bureau of Investigation (FBI), Europol, as well as agencies from Bavaria, Belgium, Czechia, France, Germany, Japan, Romania, Spain, Switzerland, and Thailand.

Thai media reports have revealed that four European nationals – two men and two women – were arrested across four different locations on Monday as part of an effort codenamed Operation Phobos Aetor. The identities of the suspects were not disclosed.

Authorities are said to have seized more than 40 pieces of evidence, including mobile phones, laptops, and digital wallets.

They are alleged to be linked to the deployment of Phobos ransomware against 17 companies located in Switzerland between April 2023 and October 2024. Furthermore, the group has been accused of earning $16 million through attacks that claimed over 1,000 victims across the world.

8Base, which emerged as a major double extortion player in 2023, has been previously found incorporating Phobos ransomware artifacts into their financially motivated cyber attacks, with research from VMware uncovering a Phobos sample using a ".8base" file extension on encrypted files.

Overlaps have also been identified between 8Base and RansomHouse, particularly when it comes to their ransom notes and dark web infrastructure.

The latest development comes in the aftermath of a series of high-profile disruptions associated with Hive, LockBit, and BlackCat in recent years. Late last year, Evgenii Ptitsyn, a 42-year-old Russian national believed to be the administrator of the Phobos ransomware, was extradited to the U.S.

Update

Europol, in a press statement, said the four arrested individuals are all Russian nationals who are alleged to have deployed a Phobos ransomware variant to extort victims across Europe and beyond. In addition, the operation led to the disruption of more than 100 servers linked to the cybercrime network.

"Its Ransomware-as-a-Service (RaaS) model has made it particularly accessible to a range of criminal actors, from individual affiliates to structured criminal groups such as 8Base," the agency said. "The adaptability of this framework has allowed attackers to customize their ransomware campaigns with minimal technical expertise, further fuelling its widespread use."

Per Europol, 8Base leveraged the foundations of Phobos to deploy its own variant against targets. It described the group as "particularly aggressive in its double extortion tactics," encrypting victims' data and threatening to publish stolen information unless a payment was made.

In a coordinated action, the U.S. Department of Justice (DoJ) unsealed criminal charges against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, for allegedly operating a cybercrime group that used Phobos to victimize more than 1,000 public and private entities in the country and across the world. Phobos appeared on the scene in October 2018.

"Berezhnoy, Glebov, and others operated a ransomware affiliate organization, including under the names '8Base' and 'Affiliate 2803,' among others, that victimized public and private entities through the deployment of Phobos ransomware," the DoJ said.

Berezhnoy and Glebov have been charged with one count of wire fraud conspiracy, one count of wire fraud, one count of conspiracy to commit computer fraud and abuse, three counts of causing intentional damage to protected computers, three counts of extortion in relation to damage to a protected computer, one count of transmitting a threat to impair the confidentiality of stolen data, and one count of unauthorized access and obtaining information from a protected computer.

If convicted on all counts, Berezhnoy and Glebov face a maximum penalty of 20 years in prison on each wire fraud-related count; 10 years in prison on each computer damage count; and five years in prison on each of the other counts.

The takedown also coincides with Australia, the U.K., and the U.S. jointly announcing sanctions against Zservers, a Russia-based bulletproof hosting (BPH) provider, for its role in facilitating ransomware attacks, primarily those conducted by the LockBit RaaS group. The action marks the first time Australia has issued cyber sanctions against an entity.

Sanctions have also been imposed on its U.K. front company XHOST Internet Solutions LP, and six of the service's administrators and employees – Aleksandr Sergeyevich Bolshakov, Alexander Igorevich Mishin, Ilya Sidorov, Dimitriy Bolshakov, Igor Odintsov, and Vladimir Ananev in connection with the criminal operation.

"Zservers has provided BPH services, including leasing numerous IP addresses, to LockBit affiliates, who have used the hosting services to coordinate and launch ransomware attacks," the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) said in a statement, adding it was advertised as a way to evade law enforcement scrutiny and takedowns.

In a follow-up announcement, the Dutch Police said it dismantled 127 servers used by ZServers, one of which hosted hack tools from Conti and LockBit ransomware groups.

"A bulletproof hoster is not just a shady company that ignores rules – it is the backbone of global cybercrime," the Politie said. "Without these 'safe havens' many criminals would not be able to host their hack tools, stolen data and fake websites anywhere."

(The story was updated after publication to include additional information from Europol, the U.S. Department of Justice, and the Dutch Police.)