A major online forum for stolen data has been dismantled following an international operation coordinated by Europol.
The forum, known as LeakBase, had established itself as a central hub in the cybercrime ecosystem, specialising in the trade of leaked databases and so-called “stealer logs” – archives of stolen credentials harvested through infostealer malware. Accessible on the open web and operating in English, the platform combined elements of a forum and discussion board, enabling cybercriminals to buy, sell and exchange compromised data.
Between 3 and 4 March, coordinated actions across multiple jurisdictions severely disrupted the forum’s operations and targeted its most active users.
A hub for stolen credentials
Active since 2021, LeakBase maintained a vast and continuously updated archive of breached databases, ranging from historical leaks to newly compromised data. The forum featured large volumes of credential pairs – including email and password combinations – and other access credentials used to facilitate account takeover, fraud and further cyber intrusions.
A credit-based economy and reputation-driven user system helped build trust among offenders and sustain a thriving underground forum. One of the forum’s notable internal rules prohibited the sale or publication of any data related to Russia.
By December 2025, LeakBase counted more than 142 000 registered users, approximately 32 000 posts and over 215 000 private messages, underlining its scale and global reach.
Global operational phase
On 3 March, law enforcement authorities carried out coordinated enforcement actions across multiple jurisdictions, including arrests, house searches and “knock-and-talk” interventions. Around 100 enforcement actions were conducted worldwide, including measures against 37 of the most active users of the platforms.
On 4 March, authorities moved to the technical disruption phase, seizing the forum’s domain and replacing it with a law enforcement splash page.
The operation now enters a prevention phase aimed at deterring further criminal activity and raising awareness of the consequences of engaging in cybercrime.
Europol’s support
Europol’s analysts mapped the forum’s infrastructure and user activity, cross-matching data with ongoing investigations across Europe and beyond. Sensitive information was exchanged securely via Europol, enabling investigators to connect suspects, victims and digital evidence across borders.
An operational data sprint at Europol’s headquarters in The Hague brought together specialists to rapidly analyse seized data and identify high-value targets. A dedicated data scientist supported the case, extracting and structuring millions of data points to generate actionable leads.
The partners have been working closely together within the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol to prepare for the final phase of the investigation.
On the action day, Europol set up and coordinated a Joint Command Post, allowing participating countries to share live updates and intelligence in real time as enforcement measures unfolded worldwide.
No one is invisible online
As part of the investigation, authorities seized the forum’s database. This enabled the deanonymisation of multiple users who believed they were operating anonymously. Law enforcement officers have engaged directly with several suspects through the same online channels used to facilitate criminal activity.
By contacting suspects through their preferred digital platforms, investigators delivered a clear message: no one is truly invisible online.
Law enforcement authorities proactively are continuing to trace digital trails to unmask additional offenders and establish their real-world identities.
This operation also serves as a warning to the public. When a company or an individual suffers a data breach, stolen information does not simply disappear – it often resurfaces on criminal platforms like this one, where it is reused for scams, identity theft, account takeovers or targeted phishing.
Protecting personal data remains essential. Using strong, unique passwords and enabling multi-factor authentication can significantly reduce the risks if information is exposed.
Authorities from the following countries took part in the investigation:
- Australia
- Belgium
- Canada
- Germany
- Greece
- Kosovo*
- Malaysia
- Netherlands
- Poland
- Portugal
- Romania
- Spain
- United Kingdom
- United States
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
