FBI Seizes LeakBase
142,000 Members, 215,000 Messages, Hundreds of Millions of Stolen Credentials Gone
The Department of Justice announced the seizure of LeakBase, one of the world’s largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools, with over 142,000 members and more than 215,000 messages between members.
On March 3 and 4, law enforcement agents in 14 countries took synchronized actions against LeakBase and its users in a coordinated effort hosted by Europol in The Hague, shutting down the forum, seizing its data and two domains, posting seizure banners, and executing search warrants and arrests in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
Available on the open web in English, the forum had an enormous and continuously updated archive of hacked databases including many from high-profile attacks, containing hundreds of millions of account credentials, credit and debit card numbers, banking account and routing information, usernames and passwords for account takeovers, and other sensitive business and personally identifiable information.
Europol said LeakBase specialized in stealer logs, archives of credentials harvested through infostealer malware that could be weaponized for account takeover, fraud, and cyber intrusions.
One notable forum rule: prohibition of the sale or publication of any data related to Russia. Protecting Mother Russia while selling everyone else’s data.
Europol described LeakBase as a “central hub in the cybercrime ecosystem” that has been active since 2021, containing more than 32,000 posts. Authorities collectively engaged in around 100 enforcement actions globally and took measures against 37 of the platform’s most active users.
FBI Cyber Division Assistant Director Brett Leatherman said the investigation had been ongoing for multiple years, led by the FBI Salt Lake City field office. The forum ran on a subscription model with some users paying a few hundred dollars for “premium” access.
LeakBase Admin: “We run a professional cybercrime marketplace. No Russian data allowed, we have standards!”
FBI: “Great standards. Here’s a seizure notice.”
LeakBase Members: surprised Pikachu face
If your data was on LeakBase:
The FBI seized users’ accounts, posts, credit details, private messages, and IP logs for evidentiary purposes
Assume your credentials from any data breach since 2021 were traded on this platform
Enable MFA on all accounts, rotate passwords, monitor for unauthorized access
Anyone with information regarding LeakBase should contact the FBI at FBI-SU-Leakbase@fbi.gov
For security teams:
Cross-reference your breach notifications against LeakBase’s known database archives
Implement credential stuffing defenses and monitor for account takeover attempts
LeakBase contained stolen data from U.S. corporations and individuals linked to many high-profile attacks
Assume any user credentials compromised since 2021 may have been sold on this platform
For law enforcement and researchers:
Leakbase “continued to be an active location where users were increasingly sharing information that permits access to U.S.-based networks, potentially critical infrastructure”
The seized database contains evidence of cybercrime operations spanning years
Follow-up arrests and prosecutions expected as investigators analyze seized data
This follows the disruption of RaidForums in 2022, BreachForums in 2023, and the conviction and sentencing of BreachForums’ founder in 2025. Law enforcement is systematically dismantling the cybercrime forum ecosystem.
FBI Assistant Director Brett Leatherman: “Together with our partners, we are sending a message that no criminal is truly anonymous online and removing an easy point of access to stolen information on American businesses and individuals”.
Law enforcement isn’t just seizing domains anymore. They’re seizing the entire databases, all user data, IP logs, and private messages. Since 2020, the DOJ’s Computer Crime and Intellectual Property Section has secured the conviction of over 180 cybercriminals and court orders for the return of over $350 million in victim funds.
- Alex
P.S. — The seizure notice on leakbase[.]la reads: “All forum content, including users’ accounts, posts, credit details, private messages, and IP logs, has been secured and preserved for evidentiary purposes.” Sleep tight, cybercriminals.