All your 8Base are belong to us: Ransomware crew busted in global sting

updated An international police operation spanning the US, Europe, and Asia has shuttered the 8Base ransomware crew's dark web presence and resulted in the arrest of four European suspects accused of stealing $16 million from more than 1,000 victims worldwide.

The 8Base ransomware group has been active since 2022. Bavarian police seized the gang's dark web portal, as spotted by a security researcher on Monday. Both Europol and the UK's National Crime Agency (NCA) have confirmed to The Register that they have been involved in the police action.

"The NCA has played a supportive role on this," a NCA spokesperson told us. Europol said that it would be releasing more information on Tuesday at 1400 CET, and the FBI and Bavarian authorities have yet to reply to requests for comment.

Thai police showed local media the four arrested European suspects after coordinated raids in Phuket. The arrests netted over 40 pieces of evidence, including phones, cryptocurrency wallets, and laptops, they said.

Swiss and US authorities have reportedly requested the suspects' extradition but had no comment at the time of publication. The suspects are wanted on charges including conspiracy to commit an offense against the United States and conspiracy to commit wire fraud, according to reports.

The Thai arrests were part of "Operation Phobos Aetor," which some believe hints at a connection between 8Base and the Phobos ransomware crew. Phobos' operations took a hit after its IT admin was cuffed last year and extradited to the US, but some researchers believe the group has ties to 8Base.

8Base claimed to have targeted German carmaker Volkswagen - although the auto giant didn't seem too concerned about what they'd managed to steal.

• Another banner year for ransomware gangs despite takedowns by the cops
• How cops taking down LockBit, ALPHV led to RansomHub's meteoric rise
• Change Healthcare registers pulse after crippling ransomware attack
• Stanford University failed to detect ransomware intruders for 4 months

The 8Base ransomware group was technically established in 2022, but its leak site didn't go live until May 2023. It ranked among the top new ransomware operators that year. Security researchers are now monitoring for signs of the gang re-emerging under a new alias or operation.

Some researchers speculated that the shutdown of 8Base's site might have been an exit scam, with the operators pretending to be taken down so they could vanish with their loot. Ransomware gang ALPHV allegedly tried this last year, briefly going dark before rebranding and continuing its operations. However, confirmation from police that they were involved makes an exit scam unlikely. ®

Updated to add at 2220 UTC on February 11, 2025

The Justice Department and European police have released [PDF] additional details about the 8Base takedown and named two Russians arrested for their alleged part in the criminal enterprise.

Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, were arrested in Thailand this week as part of an international operation, and over 100 servers associated with the ransomware group were disrupted.

"Fedpol was able to warn more than 300 potential victims of ransomware attacks worldwide," the Swiss cops told The Register. "In Switzerland, this helped to prevent around half a dozen ransomware attacks."

According to Europol, the 8Base crew operated as an affiliate of the Phobos ransomware network, using the malware to carry out their attacks. A key break in the case came in 2024 when a Phobos administrator was arrested in South Korea and later extradited to the United States.

The FBI alleged that Berezhnoy promoted the ransomware on cyber-crime forums to recruit "long-term" affiliates to deploy the malware and share the proceeds with the group. Their targets were, it is claimed, primarily companies in the US, UK, and Europe.

The duo faces 11 criminal counts that, if convicted on all charges and handed maximum consecutive sentences, could result in decades behind bars.