The FBI and European law enforcement agencies carried out a global crackdown on a cybercrime forum where criminals bought and sold stolen credentials and exploits of software vulnerabilities.
The operation targeted Leakbase, a subscription-based crime forum and marketplace that has operated since 2021 where compromised credentials, personally identifiable information and other sensitive information were sold.
The FBI and its partners conducted 100 law enforcement actions against 45 targets across more than a dozen countries, including shutting down hosting infrastructure from the Netherlands to Malaysia and seizing and redirecting the forum’s domains to bureau-controlled servers.
The effort, dubbed “Operation Leak,” also resulted in 13 arrests, 32 searches and interviews with 33 suspects, along with capturing the forum’s entire database, according to Brett Leatherman, assistant director of the FBI’s cyber division.
In an interview, he described the operation as “progressive” to the work the FBI has conducted in a series of international law enforcement stings that increasingly involve coordinated arrests and raids on multiple continents against other criminal forums and online gangs, such as the notorious ransomware organization Lockbit.
Leakbase “continued to be an active location where users were increasingly sharing information that permits access to U.S.- based networks, potentially critical infrastructure,” he told Recorded Future News. “And so, to us, it’s remained a priority for years, and to see it come to a conclusion like it did today … to us, that’s very significant.”
He highlighted that the investigation had been going on for multiple years and was led by the bureau’s Salt Lake City field office.
The forum itself ran on a subscription model, with some users paying a one-time fee of a few hundred dollars for “premium” access.
It had grown to over 142,000 registered members, with more than 33,000 forum threads and 215,000 messages discussing pilfered data, according to Leatherman. None of the arrests occurred in the U.S., he added.
The threat monitoring company Flare previously described Leakbase as one of the “more sophisticated forums on the dark web, both in terms of the amount of sensitive data available and the mature approach to discovery and commerce.”
Much of the data it offered was obtained through unauthorized access to government systems and U.S. businesses, frequently through SQL injection attacks against unpatched web applications.
Leatherman said law enforcement officials are still unraveling how much revenue Leakbase generated from its subscribers or how much was stolen from victims as a result of its various offerings.
“They’re victims of opportunity,” he said. “Many times it’s where actors were able to get in, get access to pure credentials, and that could represent small to medium businesses or large businesses. We’re going to learn a lot more about that victim space soon.”
Leatherman said the bureau’s latest operation is “squarely aligned” with the White House’s forthcoming national cyber strategy, which will prioritize shifting the burden of risk in cyberspace from Americans to adversaries by attempting to shape their behavior.
“We expect that these actors who’ve been arrested will potentially have information or evidence that would help us move upstream against other actors,” he said.
“But if these actors do go to another platform believing that they’re anonymous, they should recognize that we’re going to follow them and that we have tremendous capability, us and our partners, to de-anonymize them.”
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Martin Matishak
is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.
