Major data leak forum dismantled in wake of Europol co-ordinated action

Accessible on the open web and operating in English, the platform combined elements of a forum and discussion board, enabling cyber criminals to buy, sell and exchange compromised data. Between 3 and 4 March, co-ordinated actions across multiple jurisdictions severely disrupted the forum’s operations and targeted its most active users.

Active since 2021, LeakBase maintained a vast and continuously updated archive of breached databases, ranging from historical leaks to newly compromised data. The forum featured large volumes of credential pairs (including e-mail and password combinations) and other access credentials used to facilitate account takeover, fraud and further cyber intrusions.

Europol notes that a credit-based economy and reputation-driven user system helped build trust among offenders and sustain a thriving underground forum. One of the forum’s notable internal rules prohibited the sale or publication of any data related to Russia.

By December last year, LeakBase played host to more than 142,000 registered users, approximately 32, 000 posts and over 215, 000 private messages, underlining its sheer scale and global reach.

Global operational phase 

On 3 March, law enforcement authorities carried out co-ordinated enforcement actions across multiple jurisdictions, including arrests, house searches and ‘knock-and-talk’ interventions. Around 100 enforcement actions were conducted worldwide, including measures against 37 of the most active users of the platform.

The following day, authorities moved to the technical disruption phase, seizing the forum’s domain and replacing it with a law enforcement splash page. The operation now enters a prevention phase aimed at deterring further criminal activity and raising awareness of the consequences of engaging in cyber crime.

Europol’s analysts mapped the forum’s infrastructure and user activity, cross-matching data with ongoing investigations across Europe and beyond. Sensitive information was exchanged securely via Europol, enabling investigators to connect suspects, victims and digital evidence across borders.

An operational ‘data sprint’ at Europol’s headquarters in The Hague brought together specialists to rapidly analyse seized data and identify high-value targets. A dedicated data scientist supported the case, extracting and structuring millions of data points to generate actionable leads.

The partners have been working closely together within the framework of the Joint Cybercrime Action Task Force hosted at Europol to prepare for the final phase of the investigation. On the action day, Europol established and co-ordinated a Joint Command Post, thereby allowing participating countries to share live updates and intelligence in real-time as enforcement measures unfolded worldwide.

Not beyond reach 

Edvardas Šileris, head of Europol’s European Cyber Crime Centre, commented: “This operation shows that no corner of the Internet is beyond the reach of international law enforcement. What began as a shadowy forum for stolen data has now been dismantled. Those who believed they could hide behind anonymity are being identified and held accountable. This is a clear message to cyber criminals everywhere: if you traffic in other people’s stolen information, law enforcement will find you and bring you to justice.” 

As part of the investigation, authorities seized the forum’s database. This enabled the deanonymisation of multiple users who believed they were operating anonymously. Law enforcement officers have engaged directly with several suspects through the same online channels used to facilitate criminal activity.

By contacting suspects through their preferred digital platforms, investigators delivered a clear message: no-one is truly invisible online. Law enforcement authorities are proactively continuing to trace digital trails to unmask additional offenders and establish their real-world identities.

This operation also serves as a warning to the public. When a company or an individual suffers a data breach, stolen information doesn’t simply disappear. It often resurfaces on criminal platforms such as LeakBase where it’s reused for scams, identity theft, account takeovers or targeted phishing.

Strong passwords

Protecting personal data remains essential. Using strong and unique passwords and enabling multi-factor authentication can significantly reduce the risks if information should be exposed at any point.

Authorities from the following countries took part in the investigation: Australia, Belgium, Canada, Germany, Greece, Kosovo, Malaysia, Netherlands, Poland, Portugal, Romania, Spain, the United Kingdom and the United States.