FBI Seizes LeakBase Cybercrime Forum, Data of 142,000 Members

[Update] March 13, 2026: “Russia Seizes New LeakBase Domain Following Earlier Takedown”

So, LeakBase. Here’s what most miss in the threat landscape: this wasn’t just another Dark Web forum takedown. Federal authorities executed a precision strike against one of the most sophisticated cybercrime marketplaces operating in 2025, effectively dismantling a digital bazaar that facilitated millions in fraudulent transactions.

The LeakBase seizure represents a watershed moment in international cybercrime enforcement, demonstrating how coordinated intelligence operations can penetrate seemingly impenetrable criminal networks. But the real story isn’t the takedown itself; it’s what the seized intelligence reveals about modern threat actor ecosystems.

What the LeakBase Seizure Reveals About Threat Actor Networks

Forums like LeakBase operate as critical infrastructure for Advanced Persistent Threat groups and ransomware collectives. The seized data encompasses 142,000 member profiles, transaction logs spanning three years, and detailed communication records between threat actors across 47 countries.

This intelligence trove provides unprecedented visibility into how cybercriminals coordinate attacks, share zero-day exploits, and monetize stolen credentials. And that’s why this seizure matters – organizations now have actionable intelligence to understand their adversaries’ methodologies.

The forum’s architecture revealed sophisticated reputation systems where established criminals vouched for newcomers, creating trust networks that enabled large-scale fraud operations targeting financial institutions and healthcare systems.

How LeakBase Enabled Cybercrime Training and Collaboration

LeakBase functioned as more than a simple marketplace; it operated as a criminal university where experienced threat actors mentored aspiring hackers.

The platform’s structure included specialized sections for different attack vectors: credential stuffing tutorials, social engineering playbooks, and Ransomware-as-a-Service partnerships. What’s particularly concerning is how LeakBase members systematically targeted critical infrastructure, with forum discussions revealing planned attacks against power grids, water treatment facilities, and emergency services. This is a critical IOC for security teams monitoring for insider threats and supply chain compromises.

Financial Impact Assessment

Conservative estimates suggest LeakBase facilitated over $2.8 billion in cybercrime proceeds since 2022. The forum’s escrow system processed transactions involving stolen payment card data, compromised cloud credentials, and corporate network access.

Forum administrators collected commission fees ranging from 3-8% per transaction, generating substantial revenue streams that funded advanced operational security measures.

The seized financial records reveal how cybercriminals laundered proceeds through cryptocurrency mixers, offshore banking networks, and legitimate business fronts across Eastern Europe and Southeast Asia.

How Organizations Should Respond

Organizations must recognize that LeakBase’s member database represents a comprehensive threat actor directory. Security teams should immediately cross-reference the seized data against their access logs, investigating any suspicious activities from the identified IP ranges and user agents.

The forum’s communication archives provide valuable insights into emerging attack patterns, including new phishing templates, malware variants, and social engineering techniques currently being deployed against enterprise targets.

For organizations concerned about exposure on cybercrime forums like LeakBase, continuous visibility into Dark Web activity is critical. Solutions such as SOCRadar’s Dark Web Monitoring help security teams track underground marketplaces, forums, and leak sites where threat actors share stolen credentials, corporate data, or access to compromised networks. By identifying these exposures early, organizations can investigate potential risks and respond before they escalate into active attacks.

Russia Seizes New LeakBase Domain Following Earlier Takedown

Russian authorities have seized a newly launched domain linked to the LeakBase forum. The site had recently moved to a .bz domain after its previous address (leakbase[.]la) was taken down during an earlier operation.

According to a notice posted on the seized page, the action was carried out by a cybercrime unit of Russia’s Ministry of Internal Affairs, BSTM, Bureau of Special Technical Measures (БСТМ, Бюро специальных технических мероприятий), as part of an operation.

LeakBase Admin Arrest Confirmed

Russian authorities have confirmed the arrest of a Taganrog resident suspected of running LeakBase. Officials stated the platform operated for about four years and had over 147,000 users trading stolen personal data for fraud.

A criminal case has been opened, and the suspect is in custody following the recent takedown of the forum.

Conclusion

The LeakBase takedown signals a shift in law enforcement priorities toward disrupting cybercrime infrastructure rather than pursuing individual actors. This approach yields greater intelligence value and creates operational uncertainty within criminal networks. However, security analysts anticipate that remaining LeakBase members will migrate to alternative platforms, potentially adopting enhanced operational security measures.

The criminal ecosystem demonstrates remarkable resilience. When major forums disappear, new marketplaces emerge within weeks, often with improved anonymity features and stricter membership requirements. So threat intelligence teams must maintain continuous monitoring capabilities to track these migrations and identify emerging criminal platforms before they reach operational maturity.