-
An extensive cross-border effort by the police has resulted in the dismantling of LeakBase – one of the largest platforms for peddling illegally obtained user credentials
-
The operation involved the conduct of 14 different countries working together to take control of the website as well as the server that it was hosted on.
-
LeakBase recorded over 142,000 users who have bought and sold hacked databases containing millions of stolen records.
Cybercriminals have been using underground forums to trade stolen data for years, just like sharing files on social media. However, the options have become significantly limited since LeakBase, one of the largest sites for exchanging hacked credentials and stolen databases, has been permanently closed down due to law enforcement action.
The Europol-coordinated operation involved 14 countries working together and resulted in the seizure of the forum’s domains and the backend servers, as well as arresting suspected users and administrators.
Inside the LeakBase Operation
Law enforcement didn’t just shut down the site; they also conducted around 100 enforcement actions globally, including arrests, search warrants, and interviewing multiple individuals associated with the site. The international operation involved multiple countries, including the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
In a statement from the US Department of Justice, investigators focused on disrupting the core infrastructure of LeakBase, which is a long-standing cybercrime forum that specializes in giving out stolen databases as well as credential logs. By closing down LeakBase, the authorities were able to replace the site with a ‘take down’ notice, but they also seized all of the internal documents from the site.
That data includes user accounts, private messages, payment records, and IP logs. These digital breadcrumbs could now help investigators identify participants who believed they were operating anonymously. As one Europol analyst explained during a briefing, “seizing the backend database is often more valuable than shutting down the website itself; it reveals the entire network.”
LeakBase was different from many dark web marketplaces. It operated on the open web and ran primarily in English. That accessibility helped it attract a global user base. By the end of 2025, authorities estimate that the forum will have at least 142,000 registered users. The site contained tens of thousands of posts and private chat messages between users.
Black Market Platform to Support Illegal Trades
LeakBase was a “deep-web” black-market website where hackers can buy, sell, or freely share compromised data sets, such as usernames, passwords, bank records, and anything else personal and/or corporate. Most of these compromised datasets come from data breaches or malware campaigns.
The scale of data traded on these platforms is staggering. Just one example is the global cybersecurity breach that exposed 149 million passwords, fueling identity theft fears worldwide and demonstrating why forums like LeakBase pose such a significant threat to consumer privacy and security.
Over time, the forum built a massive archive. It included hundreds of millions of credentials taken from high-profile breaches affecting both individuals and companies. These datasets remained constant support systems for fraud schemes, account takeovers, as well as further network infiltrations.
The site focused especially on hosting large collections of breached data and what are called “stealer logs.” These are files generated by infostealer programs that harvest data directly from infected infrastructures. To uphold trust amongst users and maintain activity, the platform utilized a reputation system and a credit-based model. Members could earn standing by sharing data or participating in transactions.
One distinct rule reportedly set on the forum is that no user should publish data connected to Russia. Various internet crime platforms have flagged this restriction as part of similar operating patterns.
A Pattern That Keeps Repeating
LeakBase has not emerged alone. The growth trend mirrors patterns seen across the cybercriminal underground. For example, when a major forum goes down, another one appears very soon after to fill its void.
After law enforcement dismantled major forums like RaidForums and BreachForums, many registered users looked for alternative places to do business as buyers or sellers. LeakBase emerged as one of those platforms and became known for hosting massive datasets of breached data.
The take-down of LeakBase is part of the ongoing coordinated international effort by law enforcement agencies around the world to disrupt online platforms that facilitate cybercrime. Earlier in the same day, Europol also announced that it had taken action against the Tycoon 2FA phishing kit by taking down over 300 associated domains.
Law Enforcement agencies have slightly altered their direction; instead of just targeting ‘individual hackers, ‘ they now target ‘the services’ that allow large-scale organized crime to occur. Some of these include the forums, malware markets, and phishing infrastructures that cyber criminals use. As one researcher said, removing these services disrupts the supply chain and prevents criminals from easily circulating stolen information or tools.
Past experience with underground forums shows that replacements often appear quickly after authorities shut them down. This pattern suggests that community members who used forums to exchange stolen information will likely move to other platforms once one disappears. The real question is not whether LeakBase will be replaced, but how long it will take, and what law enforcement agencies will learn from the data on its servers in the meantime.
