Full Report
The FBI has seized the LeakBase cybercrime forum, a major online forum used by cybercriminals buy and sell hacking tools and stolen data. [...]
Analysis Summary
# Incident Report: Seizure of LeakBase Cybercrime Forum (Operation Leak)
## Executive Summary
The FBI, in coordination with Europol and law enforcement across 14 countries, successfully dismantled LeakBase, a prominent cybercrime forum used for trading stolen data and hacking tools. The operation resulted in the seizure of the forum’s infrastructure, the collection of database records for 142,000 members, and over 100 enforcement actions worldwide. This disruption effectively removes a primary marketplace that filled the vacuum left by previous takedowns of RaidForums and BreachForums.
## Incident Details
- **Discovery Date:** Ongoing investigation culminating March 3, 2026
- **Incident Date:** March 3–4, 2026 (Seizure/Disruption phase)
- **Affected Organization:** LeakBase (Cybercrime Forum)
- **Sector:** Underground Cybercrime Economy
- **Geography:** Global (Domains seized by US; enforcement in 14 countries including UK, Poland, and Australia)
## Timeline of Events
### Initial Access
- **Date/Time:** March 3, 2026
- **Vector:** Law Enforcement Intervention / Infrastructure Seizure
- **Details:** Global law enforcement agencies initiated "Operation Leak," executing search warrants and "knock-and-talk" interventions against high-value targets.
### Lateral Movement
- **Details:** N/A (Law enforcement moved from physical arrests/interviews to technical disruption of the web infrastructure).
### Data Exfiltration/Impact
- **Details:** Law enforcement secured and preserved the entire LeakBase database, including user accounts, posts, credit details, private messages, and IP logs for 142,000 members.
### Detection & Response
- **March 3, 2026:** Coordinated enforcement actions (arrests and searches) across multiple jurisdictions.
- **March 4, 2026:** Technical disruption phase; domains seized and replaced with a law enforcement splash page.
- **Post-March 4, 2026:** "Prevention phase" initiated to deter future criminal activity using preserved evidence.
## Attack Methodology
*Note: This section reflects the Law Enforcement "attack" on the criminal infrastructure.*
- **Initial Access:** Legal seizure of domain registrars and hosting infrastructure.
- **Persistence:** Switch of domain nameservers to official FBI-controlled infrastructure.
- **Defense Evasion:** Use of coordinated, multi-jurisdictional strikes to prevent "canary" warnings or data wiping by forum admins.
- **Collection:** Mirroring of the forum's backend database and IP logs.
- **Impact:** Complete decommissioning of the forum and public branding of the site with seizure banners.
## Impact Assessment
- **Financial:** Disruption of an escrow payment system used for illicit transactions.
- **Data Breach:** Compromise of 142,000 cybercriminal identities and their private communications.
- **Operational:** Total shutdown of the forum; loss of a major repository for leaks and exploits.
- **Reputational:** Significant blow to the perceived "anonymity" of users migrating from BreachForums to LeakBase.
## Indicators of Compromise
- **Network Indicators:**
- leakbase[.]la (Seized)
- ns1[.]fbi[.]seized[.]gov (New Nameserver)
- ns2[.]fbi[.]seized[.]gov (New Nameserver)
- **Behavioral Indicators:** Unexpected redirection of known cybercrime domains to government-hosted splash pages.
## Response Actions
- **Containment:** Domain seizure to prevent further trading of stolen data.
- **Eradication:** Shutdown of the hosting environment used by the ARES threat group for forum operations.
- **Recovery:** Preservation of evidence for "evidentiary purposes" in future criminal prosecutions.
## Lessons Learned
- **Success of International Cooperation:** The involvement of 14 countries demonstrates that jurisdictional boundaries are shrinking for law enforcement.
- **Database Vulnerability:** Even "secure" forums focused on OpSec (Operational Security) are vulnerable to total data preservation by authorities if the infrastructure is seized.
- **The "Hydra" Effect:** While LeakBase rose to fill the void of BreachForums, consistent law enforcement pressure is shortening the lifespan of these successor sites.
## Recommendations
- **For Law Enforcement:** Continue the "Prevention Phase" by utilizing seized IP logs to identify and prosecute the 37 most active users identified during the raid.
- **For Private Sector:** Monitor the preserved data (if/when shared via intelligence channels) to identify if corporate credentials or stolen assets were being traded on this specific platform.