Full Report
A joint law enforcement operation has dismantled LeakBase, one of the world's largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools. The LeakBase forum, per the U.S. Department of Justice (DoJ), had over 142,000 members and more than 215,000 messages between members as of December 2025. Those attempting to access the forum's website ("leakbase[.]la") are now
Analysis Summary
# Incident Report: Dismantlement of LeakBase Cybercrime Forum
## Executive Summary
A global law enforcement initiative, codenamed **Operation Leak**, led to the successful dismantlement of LeakBase, a major underground marketplace for stolen credentials and cybercrime tools. The operation resulted in the seizure of the forum's infrastructure, the arrest of key facilitators, and the preservation of extensive evidentiary data including 142,000 user accounts and 215,000 messages. This disruption significantly impacts the illicit trade of stealer logs and compromised financial data globally.
## Incident Details
- **Discovery Date:** Ongoing investigation; Takedown finalized March 3-4, 2026.
- **Incident Date:** Asset seizure occurred March 3-4, 2026.
- **Affected Organization:** LeakBase (Cybercriminal Forum).
- **Sector:** Underground Economy / Cybercrime-as-a-Service.
- **Geography:** Global (Servers on Clearnet; arrests in U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and U.K.).
## Timeline of Events
### Initial Access (Forum Operations)
- **Date/Time:** 2021 (Approximate start of operations).
- **Vector:** Clearnet Hosting.
- **Details:** The forum operated openly on the clearnet under the domain `leakbase[.]la`, facilitating the sale of hacked databases and stealer logs.
### Lateral Movement
- **Not Applicable:** As this is a law enforcement takedown, "lateral movement" refers to the criminal's expansion. The forum administrator "Chucky" (aka Sqlrip) migrated between various underground forums to build the LeakBase brand.
### Data Exfiltration/Impact
- **Volume:** Over 142,000 members and 215,000 messages.
- **Data Types:** Clearnet hosting of hundreds of millions of credentials, credit/debit card numbers, banking info, and PII.
### Detection & Response
- **January 2026:** Threat intelligence reports indicated the forum was down temporarily while the admin "Chucky" sought new hosting.
- **March 3-4, 2026:** Operation Leak was executed. Law enforcement seized the domain, backend servers, and IP logs. Search warrants and arrests were conducted across eight countries.
## Attack Methodology (Forum Threat Actor Profile)
- **Initial Access:** Infostealer malware logs (e.g., Redline, Raccoon) used by forum members to harvest data.
- **Persistence:** High-availability clearnet hosting.
- **Privilege Escalation:** Admin roles held by "Chucky," "BloodyMery," "OrderCheck," and "TSR."
- **Defense Evasion:** Explicitly prohibited sale of Russian databases to avoid specific regional law enforcement scrutiny.
- **Credential Access:** Sale of "stealer logs" containing archives of harvested credentials.
- **Discovery:** Underground forum cross-posting and reconnaissance of global entities by threat actors.
- **Lateral Movement:** N/A (Platform for others).
- **Collection:** Aggregation of leaked databases (e.g., Swachhata platform breach).
- **Exfiltration:** Direct download of purchased datasets and stealer logs.
- **Impact:** Facilitation of massive-scale Account Takeover (ATO) and financial fraud.
## Impact Assessment
- **Financial:** Massive (Facilitated sale of banking/credit card data for thousands of victims).
- **Data Breach:** Hundreds of millions of PII records and account credentials compromised over five years.
- **Operational:** Forum is permanently offline; 37 "high-value" users targeted for enforcement.
- **Reputational:** High-profile victory for the FBI/Europol; serves as a deterrent to clearnet cybercrime hosting.
## Indicators of Compromise
- **Network Indicators:**
- `leakbase[.]la` (Seized)
- `leakbase[.]pw` (Historical)
- **Behavioral Indicators:**
- Use of aliases: "Chucky," "Chuckies," and "Sqlrip."
- Prohibition of Russian-related data to evade specific jurisdictions.
## Response Actions
- **Containment:** Domain seizure and hosting infrastructure take-down.
- **Eradication:** Seizure of accounts, posts, credit details, and private messages.
- **Recovery:** Law enforcement secured IP logs and metadata for future prosecutions of the 142,000 forum members.
## Lessons Learned
- **Clearnet Vulnerability:** Cybercriminals using clearnet domains for "prestige" or ease of access are highly vulnerable to domain seizure and IP logging by authorities.
- **Policy as a Signal:** The restriction of Russian data was a clear behavioral indicator of the admins' attempt to manage geopolitical risk.
- **Infrastructure Weakness:** The period where the site was "down for new hosting" in early 2026 likely provided a window of opportunity for law enforcement tracking.
## Recommendations
- **For Organizations:** Monitor for "LeakBase" mentions in threat intelligence feeds to identify if corporate credentials have been traded in historical logs.
- **For Users:** Implement Multi-Factor Authentication (MFA) to negate the value of credentials sold on such forums.
- **For Providers:** Robust KYC (Know Your Customer) protocols for hosting providers to prevent "Chucky" and similar actors from easily procuring new infrastructure.