Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A global law enforcement operation has disrupted the operations of a prolific cyber crime group.
8Base, one of the top 10 most active ransomware groups in recent years, has had its darknet leak site seized, while Thai authorities have arrested four alleged members of the hacking group.
8Base has several .onion addresses on the TOR network, the main one currently hosting a takedown notice featuring a raft of law enforcement agencies involved with the operation, including Europol, the FBI, the DOD’s Cyber Crime Centre, and the federal police of several nations, including Japan, the Czech Republic, Germany, and Switzerland.
“THIS HIDDEN SITE HAS BEEN SEIZED,” the takedown notice said.
“This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg.”
Since the leak site was seized, authorities have been reticent to provide comment, with a Europol spokesperson telling The Record only that it “is supporting an international operation against a ransomware group”.
At the same time, an operation between Thai, Swiss, and US authorities has led to the arrest of four European nationals residing in Thailand for an alleged ransomware operation that had claimed more than 1,000 victims. The two men and two women were arrested in locations around Phuket and are awaiting extradition at the request of US and Swiss authorities.
The arrests were made as part of Operation PHOBOS AETOR; 8Base was known to deploy a modified version of the Phobos ransomware variant.
“Known for its aggressive double extortion tactics, 8Base has claimed attacks on high-profile entities, including the United Nations Development Programme and Nidec Corporation, in addition to Australian victims,” Matt Green, principal threat analyst at Rapid7, told Cyber Daily.
“The takedown of 8Base and arrests in Thailand underscore ongoing global law enforcement efforts against ransomware groups in 2025. Building on the strong momentum of 2024, these takedowns demonstrate effective disruption of ransomware threats.”
8Base had been responsible for targeting high-profile victims such as the UNDP and Volkswagen and had claimed several Australian victims throughout 2024.
In March 2024, 8Base listed the Castle Hill RSL Group (CHRG) on its leak site, with CHRG first detecting the attack in February. In May of the same year, CHRG began contacting customers impacted by the attack, warning them that their full names, dates of birth, and contact information such as email, postal address, and phone numbers had been compromised.
8Base had been active since March 2023, though its X (then Twitter) account dated back almost a decade earlier. In that time, the gang had claimed at least 462 victims, with the latest being UK-based educational platform High Learn, which was listed earlier this month on 8Base’s leak site.
UPDATED 11/02/25 to add Rapid7 commentary.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
