An international law enforcement operation codenamed Operation Leak has dismantled the cybercrime forum LeakBase, a prominent marketplace for stolen data and hacking services active since 2021. With more than 142,000 registered accounts, LeakBase had become a major hub for buying, selling, and trading compromised data — until authorities not only seized its infrastructure but also obtained its full user database.
International Operation Leak: Seizure of LeakBase Infrastructure and Data
On 3–4 March, the FBI, supported by agencies from 14 countries, executed a coordinated takedown of the LeakBase platform. As part of the operation, investigators seized two primary forum domains and acquired a complete database dump containing user accounts, public and private communications, and extensive technical logs such as IP addresses.
According to publicly available information, the seized dataset includes approximately 215,000 private messages and around 32,000 public posts. The main domain, leakbase[.]la, now displays a standard FBI seizure banner stating that all information has been preserved and will be used as evidence in ongoing and future investigations. The forum’s nameservers have been switched to ns1.fbi.seized.gov and ns2.fbi.seized.gov, a configuration commonly used in U.S.-led cybercrime domain seizures.
Global Raids and Interviews: Focus on the Most Active LeakBase Users
The operation went far beyond simply taking the forum offline. Law enforcement agencies conducted searches, detentions, and formal interviews (“knock-and-talk” style actions) in multiple jurisdictions, including the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom.
In total, authorities carried out around 100 investigative actions worldwide, with specific measures targeting 37 of the most active LeakBase users. These individuals are believed to have played key roles in running the forum, supplying stolen data, or brokering high-value criminal services.
The full LeakBase database significantly shifts the balance in favor of investigators. User accounts, private messages, payment histories, reputation scores, and IP logs allow analysts to map social and financial relationships, identify organizers, data brokers, and repeat buyers, and correlate activity across multiple platforms. This approach mirrors previous operations against RaidForums (2022), Breached/BreachForums (2022–2023), and the Genesis Market (2023), where seized databases served as the foundation for hundreds of follow-on cases.
How the LeakBase Hacking Forum Operated and Why It Was Dangerous
LeakBase emerged as a project associated with the hacking group ARES and grew rapidly after the shutdown of the well-known Breached forum. Registration was free, and once inside, users could access a broad range of cybercriminal services: databases of stolen credentials and personal data, a marketplace for data leaks and exploits, an escrow service to mediate payments between criminals, and dedicated sections on programming, hacking, social engineering, cryptography, and OPSEC (operational security).
Europol has highlighted that LeakBase implemented a credit-based system and user rating model. These features were designed to build trust between pseudonymous accounts, reduce the risk of scams within the community, and incentivize reliable suppliers of stolen data and malware. Such reputation mechanisms closely mimic legitimate e‑commerce platforms and are now considered standard on mature cybercrime markets.
LeakBase also enforced an internal policy banning the sale or publication of data related to Russia. Similar restrictions are common on some underground forums and are often interpreted by investigators as an indicator of the operators’ likely geographic origin or jurisdiction. By excluding local victims, forum operators aim to avoid attracting attention from domestic law enforcement.
Impact on Dark Web Cybercrime and Key Lessons for Cybersecurity
De-anonymization Risks for LeakBase Participants
For LeakBase members, the seizure of the database creates a substantial risk of de-anonymization. Even when using VPNs, proxies, and disposable accounts, many threat actors make OPSEC mistakes: logging in from home or work devices, reusing usernames and passwords, or revealing personal details in conversations. When this data is combined with records from internet service providers, hosting companies, and payment processors, it greatly simplifies attribution and prosecution.
Disruption of Trust and Operations on Cybercrime Markets
The takedown of LeakBase reinforces a clear trend: law enforcement agencies are increasingly focused on destroying criminal communities and trust networks, not just infrastructure. Every major forum seizure and database leak undermines confidence in anonymity, complicates the search for reliable partners, and reduces the volume of transactions on the underground data-leak market. After the closures of RaidForums and Breached, for example, many actors temporarily disappeared or became far more cautious, which correlated with a measurable decline in open advertising of stolen data on some dark web platforms.
What Organizations and Users Should Do Now
For organizations and individual users, Operation Leak is a reminder that once data is compromised, it can circulate for years across multiple forums and marketplaces. Effective mitigation requires basic but consistently applied controls: strong and unique passwords, password managers, multi-factor authentication, network and access segmentation, and regular staff training against phishing and social engineering.
Companies should also invest in threat intelligence and leak monitoring, including visibility into dark web forums through specialized providers. Integrating this intelligence into incident response processes helps detect account abuse earlier, accelerate containment, and support evidence-based communication with regulators and affected customers.
Operation Leak shows that coordinated international action is making large cybercrime forums increasingly risky places for offenders. Organizations can use this moment to reassess their security posture, update incident response runbooks, tighten access policies, and establish systematic monitoring for data compromise. The better defenders understand how platforms like LeakBase operate, the more effectively they can keep their data — and their users — out of the next seized database.
