The 8base ransomware gang’s data leak site was seized as part of an international law enforcement operation.A law enforcement seizure notice appeared on the 8base page Monday morning, as noted by a security research known as cR0w. The notice states: “This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg.”The German Federal Office for Information Security (BSI) confirmed, in a reply to security researcher Kevin Beaumont, that the site was seized by Bavarian state police on behalf of the Office of the Public Prosecutor in Bamberg, Germany. A UK National Crime Agency (NCA) spokesperson also confirmed the takedown’s legitimacy to TechCrunch.The seized 8base site now displays the logos of 15 different agencies including law enforcement from Germany, the United States, the Czech Republic, Japan, France, Switzerland, Belgium, Thailand, the United Kingdom, Spain and Romania, as well as the European Union Agency for Law Enforcement Cooperation (Europol).SC Media reached out to the Federal Bureau of Investigation (FBI) for information about its role in the operation, and did not receive a response.Coinciding with the appearance of the 8base seizure notice were the arrests of four Europeans in Thailand who are suspected of involvement in attacks leveraging Phobos ransomware, as reported by Thai newspaper Khaosod.The suspects, two men and two women whose names and nationalities were not reported, were arrested at the request of Swiss and US authorities and are accused of using Phobos ransomware in attacks on 17 Swiss companies between 2023 and 2024, impacting more than 1,000 victims and costing companies approximately $16 million.While the exact link between the arrests and the website seizure is unknown, the 8base group has been known to use a variant of Phobos ransomware since at least 2023. An analysis of 8base ransomware by Cisco Talos in November 2023 found that the 8base ransomware shared nearly 90% of its code with a Phobos sample from 2019.Additionally, researchers noted a significant decrease in activity by the 8base ransomware group in late 2024 following the arrest of Phobos administrator Evgenii Ptitsyn, further suggesting a close connection between the two groups.8base was considered one of the most prolific out of the new ransomware groups that emerged in 2023, rivaled only by the Conti-linked Akira group. The group has claimed attacks against the United Nations Development Programme, the Atlantic States Marine Fisheries Commission, Nidec Corporation and the Port of Rijeka in Croatia, among others.
