8Base ransomware group leaders arrested, leak site seized
The Thai police has arrested four individuals suspected of being the leaders of the 8Base ransomware group and of stealing approximately $16 million from 1,000+ victims they targeted with the Phobos ransomware.
“Officers from Cyber Crime Investigation Bureau, led by Police Lieutenant General Trairong Phiwphan, conducted ‘Operation PHOBOS AETOR’ in Phuket on February 10, arresting four foreign hackers involved in ransomware attacks. The operation, coordinated with Immigration Police and Region 8 Police, raided four locations across Phuket,” , a local publication reported.
The police arrested two men and two women, and seized mobile phones, laptops, and digital wallets.
The suspects were arrested following the issuing of Interpol warrants, on request from Swiss and United States’ authorities.
On the same day, the 8Base leak site was seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor in Bamberg, Germany.
The takedown notice on the 8Base leak site
According to Europol, the four individuals arrested are Russian nationals that were leaders of the 8Base ransomware group.
“This complex international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries. While some countries focused on the investigation into Phobos, others targeted 8Base, with several participating in both,” Europol said.
“As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks.”
The Phobos – 8Base connection
First detected in December 2018, Phobos ransomware has been frequently used in large-scale attacks against small to medium-sized businesses and organisations aroud the worls.
“Its Ransomware-as-a-Service (RaaS) model has made it particularly accessible to a range of criminal actors, from individual affiliates to structured criminal groups such as 8Base. The adaptability of this framework has allowed attackers to customise their ransomware campaigns with minimal technical expertise, further fuelling its widespread use,” Europol says.
“Taking advantage of Phobos’s infrastructure, 8Base developed its own variant of the ransomware, using its encryption and delivery mechanisms to tailor attacks for maximum impact. This group has been particularly aggressive in its double extortion tactics, not only encrypting victims’ data but also threatening to publish stolen information unless a ransom was paid.”
The 8Base ransomware group was very active in 2023 and, like Phobos, its activity declined in 2024.
“There are speculations that 8Base’s periods of inactivity might be connected to the Phobos ransomware operations decline, suggesting possible shared affiliates or operators between the two groups. The simultaneous quiet periods could potentially be attributed to law enforcement actions affecting both ransomware gangs’ operations,” Trellix researchers noted a few months ago. (Russian national Evgenii Ptitsyn, a suspected Phobos administrator, was indicted in a US court in November 2024.)
Still, 8Base group claimed several victims in December 2024, including the Croatian port operating company Luka Rijeka, Canadian company Mint Pharmaceuticals, and Japanese manufacturing company Iseki Agricultural Machinery.