Operation Leak: How the FBI and Europol Dismantled LeakBase — and What It Means for the Cybercrime Ecosystem

On the morning of March 3, 2026, law enforcement agents in more than a dozen countries moved simultaneously. Front doors were knocked. Search warrants were executed. Arrests were made. By the following day, anyone navigating to leakbase[.]la was met not with a forum, but with an FBI seizure banner bearing a blunt message: all user accounts, posts, credit details, private messages, and IP logs had been secured and preserved for evidentiary purposes.

Operation Leak — the international effort that brought down LeakBase, one of the largest cybercrime forums ever to operate on the open web — was four years in the making and over in 48 hours.

What LeakBase Was

LeakBase was not a dark web obscurity. It operated entirely in the open, on the clearnetThe ordinary, publicly accessible internet reachable by any browser — as opposed to the dark web, which requires specialized software like Tor., in English, accessible to anyone with a browser. That deliberate accessibility was central to its strategy, and it distinguished the forum from predecessors that required Tor or technical skill to reach. Threat intelligence firm Flare characterized LeakBase as one of the most sophisticated clearnet criminal platforms observed, noting both the scale of sensitive data available and the maturity of its marketplace structure — a striking assessment for a site reachable with an ordinary browser search, and one that conveyed the platform's organizational depth. The forum was not simply a place to dump stolen data; it was a structured criminal economy, complete with reputation tiers, an escrow system, exploit sales, and dedicated sections on social engineering, cryptography, penetration testing, and operational security.

Registration was free, though the forum operated a tiered model. Premium access was available for a one-time fee of several hundred dollars, and a credit-and-reputation system structured exchanges between members: contributors who brought in high-value datasets or completed successful transactions earned status, which in turn attracted more business. The economy was self-reinforcing.

That specialization meant LeakBase was not merely a place to buy old data. It was where freshly stolen credentials moved from infection to monetization.

Beyond the marketplace, LeakBase hosted discussion sections covering programming, hacking tips, social engineering tutorials, penetration testing, cryptography, anonymity techniques, and operational security guides. It operated an escrow payment system to build trust between buyers and sellers. It was, in short, a full-service criminal infrastructure platform.

The Origins: ARES, Breached, and a Calculated Expansion

The ARES cybercrime cartel first emerged on Telegram in late 2021, quickly establishing connections with the RansomHouse ransomware operation, the KelvinSecurity data leak platform, and the network access group Adrastea. Cybersecurity firm CYFIRMA described ARES as exhibiting characteristics consistent with cartel-like behavior, actively seeking affiliations with established criminal groups. LeakBase the forum, launched in early 2023 as a deliberate ARES project, was timed almost perfectly: the original BreachForums shut down in March 2023 following the arrest of its administrator, Conor Brian Fitzpatrick (known online as "pompompurin"), and the vacuum it left was enormous.

According to Cyfirma's contemporaneous analysis, ARES launched its surface web website in January 2023, with the forum completing its build on March 31, 2023. Some sources cite an April 9, 2023 launch date for the forum; the precise opening date varies slightly by reporting source, but the timing relative to BreachForums' collapse was unmistakable. ARES was not reacting to the void — it was already building when the void opened.

ARES had also operated its own standalone data-leak site, ARES Leaks, offering breached data from approximately 65 countries, before pivoting to the forum model with LeakBase. The strategy worked. Displaced BreachForums users flooded in. LeakBase grew fast.

That pattern — a major forum falls, refugees consolidate on the next available platform — had already played out before. RaidForums was seized in April 2022. BreachForums (the original, run by pompompurin) was shut down in March 2023. A rebuilt version re-emerged under ShinyHunters, was seized by the FBI again in May 2024, and briefly returned before being taken down once more in August 2025. Each collapse sent thousands of users looking for a new home. LeakBase, already positioned and promoted by the organized ARES infrastructure, became the logical destination. By the end of 2025, it had more than 142,000 registered members, over 32,000 forum posts, and 215,000 private messages.

The Administrators: Chucky and a Known Network

Other documented administrators and moderators included handles operating as BloodyMery, OrderCheck, and TSR.

KELA's Cyber Intelligence Center conducted its own attribution research into Chucky's real-world identity. Beginning with WebMoney IDs that Chucky shared in early forum activity — IDs linked to an account registered in Taganrog, Russia, supported by official documents submitted to the platform — and cross-referencing with activity on a forum where Chucky was active in 2013, KELA traced a comment referencing a girl from Taganrog and identified a previously used moniker, "beakdaz." The beakdaz username was tied to a Rambler email address that appeared in multiple data breaches. Activity under the beakdaz alias on RaidForums between 2019 and 2022 included sharing databases that were later posted by Chucky on LeakBase. The Telegram account @beakdaz was also linked to the same Telegram ID used by the LeakBase administrator, further closing the gap between personas. Chucky's Skype account, @shum_dozhdya, was identified through the same cross-referencing. TriTrace Investigations co-founder Ilya Shumanov subsequently named Artem Kuchumov, 33, from Taganrog, as the individual behind both handles, supported by evidence from leaked Russian databases connecting the same email address to multiple phone numbers and social media accounts, including a VK profile. Whether this attribution package has been formally shared with law enforcement has not been publicly confirmed, but the research illustrates the long investigative timelines that precede coordinated operations of this kind — and the degree to which open-source intelligence can independently arrive at conclusions that parallel active investigations.

FBI Assistant Director Brett Leatherman, speaking to The Record from Recorded Future News, described LeakBase as a longstanding priority, noting that the forum had increasingly become a venue for sharing credentials enabling access to U.S. networks and potentially critical infrastructure. He called the outcome significant, and noted that none of the arrests occurred inside the United States.

Operation Leak: A Two-Phase Takedown

The operation was structured in two deliberate phases, coordinated by Europol from its headquarters at The Hague, under the framework of the Joint Cybercrime Action Taskforce (J-CAT)A standing multi-agency body hosted at Europol's European Cybercrime Centre (EC3), comprising cyber investigators from EU member states, the US, Canada, Australia, and other partner nations. J-CAT coordinates simultaneous cross-border cyber investigations.. A critical precision point: DOJ and Europol confirm 13 arrests and 33 interviews. The "37" figure refers to the 37 most active users specifically targeted by enforcement actions — a cohort that included those arrested but also those subjected to "knock-and-talk" doorstep interviews and other deterrent measures. Some reporting conflated these figures.

The domain nameservers were redirected to ns1.fbi.seized.gov and ns2.fbi.seized.gov — the FBI's standard seizure infrastructure. The most recently registered domain, a .ws address registered February 7, 2026 — fewer than four weeks before the seizure — indicated the forum was still actively expanding its infrastructure at the moment investigators struck.

Malaysia's participation was not symbolic. The Malaysian Anti-Corruption Commission's Special Operations Division executed a search warrant at a web hosting company in Kuala Lumpur, where cyber forensic examination confirmed LeakBase was operating through servers physically located at the facility. That seizure shut down the forum's domain directly at the infrastructure level and yielded digital evidence now in international law enforcement hands. The Netherlands was similarly involved at the hosting layer. Investigators hit the forum's physical backbone, not just its DNS entries.

The Statements

Law enforcement officials issued pointed public statements framing the operation as both a tactical and a symbolic victory.

FBI Cyber Division Assistant Director Brett Leatherman framed the operation as a direct message to the criminal community, stating: "The FBI, Europol, and law enforcement agencies from around the world executed a takedown of LeakBase, one of the largest online cybercriminal platforms, seizing users' accounts, posts, credit details, private messages, and IP logs for evidentiary purposes. Together with our partners, we are sending a message that no criminal is truly anonymous online and removing an easy point of access to stolen information on American businesses and individuals." Speaking separately to The Record from Recorded Future News, Leatherman described LeakBase as a forum that had become a place where users were increasingly sharing information to access U.S. networks and potentially critical infrastructure — the dimension that kept LeakBase at the top of the FBI's priority list for years before the operation concluded. He also characterized the victims as victims of opportunity, noting the hackers were often able to break in and gain access to authentic credentials affecting small and medium-sized businesses as well as large corporations.

FBI Special Agent in Charge Robert Bohls of the Salt Lake City Field Office stated: "Hiding behind a screen does not shield cybercriminals from accountability. This international operation demonstrates the strength of our global alliances and our shared commitment to disrupting platforms that facilitate the theft of data and the victimization of innocent people."

Assistant Attorney General A. Tysen Duva of the DOJ Criminal Division stated: "The takedown of this cyber forum disrupts a major international platform that cybercriminals use to obtain and profit from the theft of sensitive personal, banking and account credentials."

Edvardas Sileris, Head of Europol's European Cybercrime Centre, issued the most pointed statement: "This operation shows that no corner of the internet is beyond the reach of international law enforcement. What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable. This is a clear message to cybercriminals everywhere: if you traffic in other people's stolen information, law enforcement will find you and bring you to justice."

The Underground Reaction

Threat intelligence firm KELA monitored responses to the seizure across underground platforms including XSS, Exploit, BreachForums, and Telegram channels. What they documented was a three-part mixture: mockery, paranoia, and opportunism.

Some actors on BreachForumsReborn dismissed the FBI's characterization of LeakBase as "one of the world's largest hacker forums," calling it a "dead forum" and a "skid forum" — slang implying its membership was largely unsophisticated. Some speculated that the administrators had poor operational securityCommonly abbreviated "OpSec" in the security community — the practices used to conceal identity, infrastructure, and activities from adversaries, including law enforcement. Poor OpSec is the leading investigative opening in cybercrime cases., with comments suggesting they "probably left their Kali boxes exposed on their home IPs." This public posturing is a well-documented response in cybercrime communities following law enforcement actions — bravado that serves partly as social performance and partly as an attempt to process the threat.

Behind the bravado, however, KELA noted genuine anxiety. Actors expressed concern about who exactly the "37 most active users" were. The knowledge that private messages and IP logs were now in law enforcement hands — that years of supposedly anonymous communications had been read and preserved — landed harder than the seizure itself. Sympathy for the arrested administrators surfaced alongside opportunism. While some users posted well-wishes, others immediately sought to acquire the LeakBase source code, presumably to rebuild or clone the forum elsewhere.

What Comes Next: The Displacement Problem

The central challenge with forum takedowns is not the takedown itself. It is what follows. LeakBase was the third major data-leak forum to be dismantled in four years, and each collapse has historically created a temporary vacuum that a successor platform moves to fill. LeakBase itself was that successor.

KELA assessed that displaced users will migrate in several directions.

Decentralized, invite-only Telegram channels represent the immediate destination — harder to seize, harder to monitor, and faster to spin up than a conventional forum. New English-language forum launches should be expected within weeks, though the underground community will greet them with suspicion, fearing they could be law enforcement honeypots. Established high-barrier-to-entry forums such as XSS and Exploit may see an influx of displaced mid-tier actors attempting to gain entry.

The Broader Law Enforcement Shift

Operation Leak occurred alongside another major coordinated action: the simultaneous dismantlement of Tycoon 2FAA phishing-as-a-service platform that by mid-2025 accounted for approximately 62% of all phishing attempts blocked by Microsoft, generating more than 30 million phishing emails in a single month at peak. Its takedown on March 4, 2026 involved the seizure of 330 domains and required cooperation from Microsoft, Cloudflare, Proofpoint, Intel 471, SpyCloud, Coinbase, eSentire, Resecurity, Health-ISAC, and the Shadowserver Foundation, coordinated by Europol's Cyber Intelligence Extension Programme., a phishing-as-a-service platform active since August 2023 that had grown into the dominant MFA-bypass-for-hire operation globally. By mid-2025, Tycoon 2FA accounted for approximately 62 percent of all phishing attempts blocked by Microsoft, with more than 30 million phishing emails intercepted in a single month at peak. According to Europol, the platform facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions. Microsoft, which led the technical disruption under a court order from the U.S. District Court for the Southern District of New York, seized 330 domains powering the platform's control panels and fraudulent login pages. Law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom conducted parallel infrastructure seizures. Industry partners including Cloudflare, Proofpoint, Intel 471, SpyCloud, Coinbase, Resecurity, eSentire, Health-ISAC, and the Shadowserver Foundation contributed telemetry and infrastructure takedown support. The platform's primary developer has been identified as Saad Fridi, alleged to be based in Pakistan.

The two operations together reflect what Europol and the Justice Department describe as a strategic shift in law enforcement posture: from arresting individuals to dismantling the service infrastructure that enables cybercrime at scale. Forums, phishing kits, malware marketplaces, and escrow systems are the connective tissue of the criminal ecosystem. Targeting them degrades the ecosystem's efficiency regardless of whether individual actors are arrested.

Not everyone finds that framing persuasive. Security researchers have pointed to three structural realities that limit the deterrent effect of takedowns like this. First, the operators posing the greatest danger to critical infrastructure — state-backed groups and sophisticated criminal syndicates — generally leave minimal digital traces on open forums and are unlikely to appear in the LeakBase database in any actionable form. Second, even in cases where cybercriminals are successfully identified, many operate from jurisdictions with no extradition agreements with the United States. Third, experienced forum administrators maintain backup infrastructure and contingency plans by default. The "hydra problem" — cut one head, another grows — is not a metaphor; it is the observed operational pattern over four years of consecutive takedowns.

Security analysts broadly framed the practical upshot for security leaders: the LeakBase seizure is a positive development, but not a decisive one, and should not be expected to translate into a measurable reduction in cyber risk on its own. The operation is significant as a demonstration of law enforcement capability and international coordination. It is not the end of the credential-trading ecosystem. Whether that approach can outpace the adaptive capacity of cybercriminal communities — their ability to fragment, migrate, rebuild, and re-emerge — remains the defining question of modern cybercrime law enforcement. What Operation Leak demonstrated, at minimum, is that operating openly on the clearnet while believing in personal anonymity carries a substantial and now well-documented risk.

The forum's seizure banner put it plainly: all of it has been preserved.

It Came Back

Within days of the seizure, LeakBase resurfaced on a new domain — leakbase[.]bz. The reappearance follows a pattern that has played out in nearly every major forum takedown: someone, whether a surviving administrator, a moderator, or an opportunist with access to the source code, spins up a replacement before the original banner has had time to index in Google. Whether the .bz domain represents the same operator network, a splinter faction, or an entirely separate actor claiming the brand has not been confirmed at time of publication.

The reconstitution of LeakBase on a new domain so quickly illustrates the central tension that defines this law enforcement era: the tools for taking a forum down have improved dramatically, but so has the institutional knowledge required to rebuild. The criminal ecosystem has been doing this long enough that contingency planning is now standard operating procedure. Phase three of Operation Leak — the ongoing prevention and deanonymization work — may ultimately matter more than the domain seizure itself.

Sources

• U.S. Department of Justice, Office of Public Affairs. "United States Leads Dismantlement of One of the World's Largest Hacker Forums." March 3, 2026. justice.gov
• Europol. "Major Data Leak Forum Dismantled in Global Action Against Cybercrime Forum." March 4, 2026. europol.europa.eu
• The Record from Recorded Future News. "Sprawling FBI, European Operation Takes Down Leakbase Cybercriminal Forum." March 4, 2026. therecord.media
• BleepingComputer. "FBI Seizes LeakBase Cybercrime Forum, Data of 142,000 Members." March 4, 2026. bleepingcomputer.com
• The Hacker News. "FBI and Europol Seize LeakBase Forum Used to Trade Stolen Credentials." March 5, 2026. thehackernews.com
• KELA Cyber Intelligence Center. "Law Enforcement Seizes Leakbase." March 5, 2026. kelacyber.com (Note: KELA's report header referenced "37 arrests" but the accurate figures per DOJ/Europol are 13 arrests, 33 interviews, with 37 of the most active users targeted.)
• TechRadar. "Major Data Leak Forum LeakBase Seized by FBI, Europol, and Shut Down." March 4, 2026. techradar.com
• TechCrunch. "US and EU Police Shut Down LeakBase, a Site Accused of Sharing Stolen Passwords and Hacking Tools." March 4, 2026. techcrunch.com
• Help Net Security. "LeakBase Cybercrime Forum with 142,000 Users Taken Down in Global Operation." March 5, 2026. helpnetsecurity.com
• SOSRansomware. "Operation Leak: How the FBI and Europol Dismantled LeakBase." March 5, 2026. sosransomware.com
• Infosecurity Magazine. "Europol Operation Seizes LeakBase Data Breach Site." March 2026. infosecurity-magazine.com
• BleepingComputer. "Breached Shutdown Sparks Migration to ARES Data Leak Forums." April 8, 2023. bleepingcomputer.com
• CYFIRMA Research. "Ares Leaks Emerges as New Alternative to BreachForums." April 2023.
• SC Media. "FBI Seizes Major Cybercrime Forum LeakBase in International Operation." March 5, 2026. scworld.com
• CTOL Digital Solutions. "The Vault Is Open: FBI's Operation Leak Dismantles LeakBase — But the Real Story Is What Comes Next." March 2026. ctol.digital
• Malay Mail / MACC. "US DOJ Announces LeakBase Takedown; MACC Confirms Seizure of Malaysia-Hosted Servers." March 6, 2026. malaymail.com
• CSO Online. "LeakBase Marketplace Unplugged by Cops in 14 Countries." March 2026. csoonline.com
• The Hacker News. "LeakBase Forum Resurfaced on New Domain After Seizure." March 2026. thehackernews.com
• SpyCloud. Threat intelligence observations on LeakBase hosting disruption. February 2026.
• Microsoft On the Issues. "Defending the Gates: How a Global Coalition Disrupted Tycoon 2FA." March 4, 2026. blogs.microsoft.com
• Europol. "Global Phishing-as-a-Service Platform Taken Down in Coordinated Public-Private Action." March 4, 2026. europol.europa.eu
• Cloudflare Threat Intelligence. "Tycoon 2FA Takedown." March 2026. cloudflare.com
• TriTrace Investigations. Attribution research linking Chucky to Artem Kuchumov, Taganrog, Russia. March 2026 (via The Hacker News reporting).
• Webz.io. "BreachForums Shutdown: What Happens Now?" April 2023. webz.io (for ARES/LeakBase launch date documentation)