A recent coordinated law enforcement operation has successfully dismantled the dark web data leak and negotiation sites associated with the notorious 8Base ransomware gang.

Upon visiting the data leak site, users are now presented with a seizure banner that reads: “This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg.”

The takedown operation involved a collaborative effort from the U.K. National Crime Agency (NCA), the U.S. Federal Bureau of Investigation (FBI), Europol, as well as agencies from multiple countries including Bavaria, Belgium, Czechia, France, Germany, Japan, Romania, Spain, Switzerland, and Thailand.

According to reports from Thai media, four European nationals – consisting of two men and two women – were apprehended across four different locations on Monday as part of an operation codenamed Operation Phobos Aetor. The identities of the suspects have not been disclosed.

Authorities seized over 40 pieces of evidence, including mobile phones, laptops, and digital wallets, during the operation.

It is alleged that the suspects are linked to the deployment of Phobos ransomware against 17 companies located in Switzerland between April 2023 and October 2024. Furthermore, the group is accused of earning $16 million through attacks that claimed over 1,000 victims worldwide.

8Base, which emerged as a major double extortion player in 2023, has been previously found incorporating Phobos ransomware artifacts into their financially motivated cyber attacks. Research from VMware uncovered a Phobos sample using a “.8base” file extension on encrypted files.

Overlaps have been identified between 8Base and RansomHouse, particularly in regards to their ransom notes and dark web infrastructure.

This development comes in the aftermath of a series of high-profile disruptions associated with Hive, LockBit, and BlackCat in recent years. Late last year, Evgenii Ptitsyn, a 42-year-old Russian national believed to be the administrator of the Phobos ransomware, was extradited to the U.S.

Update

Europol, in a press statement, revealed that the four arrested individuals are all Russian nationals who are alleged to have deployed a Phobos ransomware variant to extort victims across Europe and beyond. The operation also led to the disruption of more than 100 servers linked to the cybercrime network.

“Its Ransomware-as-a-Service (RaaS) model has made it particularly accessible to a range of criminal actors, from individual affiliates to structured criminal groups such as 8Base,” the agency said. “The adaptability of this framework has allowed attackers to customize their ransomware campaigns with minimal technical expertise, further fuelling its widespread use.”

According to Europol, 8Base leveraged the foundations of Phobos to deploy its own variant against targets. The group is described as “particularly aggressive in its double extortion tactics,” encrypting victims’ data and threatening to publish stolen information unless a payment was made.

In a coordinated action, the U.S. Department of Justice (DoJ) unsealed criminal charges against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, for allegedly operating a cybercrime group that used Phobos to victimize more than 1,000 public and private entities in the country and across the world. Phobos first appeared on the scene in October 2018.

“Berezhnoy, Glebov, and others operated a ransomware affiliate organization, including under the names ‘8Base’ and ‘Affiliate 2803,’ among others, that victimized public and private entities through the deployment of Phobos ransomware,” the DoJ said.

Berezhnoy and Glebov have been charged with one count of wire fraud conspiracy, one count of wire fraud, one count of conspiracy to commit computer fraud and abuse, three counts of causing intentional damage to protected computers, three counts of extortion in relation to damage to a protected computer, one count of transmitting a threat to impair the confidentiality of stolen data, and one count of unauthorized access and obtaining information from a protected computer.

If convicted on all counts, Berezhnoy and Glebov face a maximum penalty of 20 years in prison on each wire fraud-related count; 10 years in prison on each computer damage count; and five years in prison on each of the other counts.

The takedown coincides with Australia, the U.K., and the U.S. jointly announcing sanctions against Zservers, a Russia-based bulletproof hosting provider, for its role in facilitating ransomware attacks, primarily those conducted by the LockBit RaaS group. This marks the first time Australia has issued cyber sanctions against an entity.

Sanctions have also been imposed on its U.K. front company XHOST Internet Solutions LP, and six of the service’s administrators and employees – Aleksandr Sergeyevich Bolshakov, Alexander Igorevich Mishin, Ilya Sidorov, Dimitriy Bolshakov, Igor Odintsov, and Vladimir Ananev – in connection with the criminal operation.

“Zservers has provided BPH services, including leasing numerous IP addresses, to LockBit affiliates, who have used the hosting services to coordinate and launch ransomware attacks,” the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) said in a statement, adding it was advertised as a way to evade law enforcement scrutiny and takedowns.

In a follow-up announcement, the Dutch Police stated that they dismantled 127 servers used by ZServers, one of which hosted hack tools from Conti and LockBit ransomware groups.

“A bulletproof hoster is not just a shady company that ignores rules – it is the backbone of global cybercrime,” the Politie said. “Without these ‘safe havens’ many criminals would not be able to host their hack tools, stolen data and fake websites anywhere.”

(This story was updated after publication to include additional information from Europol, the U.S. Department of Justice, and the Dutch Police.)