An international law enforcement operation has dismantled LeakBase, a major online marketplace for stolen data that had become a central hub for cybercriminal activity. The cybercrime forum dismantled during the coordinated crackdown had amassed more than 142,000 registered users and hosted thousands of posts offering leaked databases and stolen credentials.
The operation, coordinated by Europol, targeted the infrastructure of the platform as well as several of its most active users. Investigators carried out coordinated enforcement actions between 3 and 4 March, marking one of the latest global efforts to disrupt the underground economy that thrives on stolen personal and corporate data.
Authorities say the cybercrime forum dismantled operation significantly disrupted a platform that had been widely used by criminals to trade compromised information and facilitate further cyberattacks.
LeakBase: A Growing Marketplace for Stolen Credentials
Active since 2021, LeakBase operated openly on the web and primarily used English, allowing it to attract a global community of cybercriminals. The forum specialised in trading leaked databases and so-called “stealer logs,” which are collections of credentials captured by infostealer malware.
These logs typically contain email addresses, passwords and other authentication data that criminals use to access online accounts. Once obtained, the information can be used for account takeovers, fraud schemes and further cyber intrusions.
Over time, LeakBase developed a structured system that helped it grow rapidly. The forum used a credit-based economy and reputation system, allowing users to build credibility within the community and gain access to more valuable data. This system helped maintain trust among offenders and kept the marketplace active.
Despite being an international platform, LeakBase reportedly had an internal rule that prohibited the sale or publication of data related to Russia, highlighting the unusual dynamics that sometimes exist within cybercrime networks.
By December 2025, the forum had accumulated more than 142,000 registered users, around 32,000 posts, and over 215,000 private messages, underscoring its role as a major player in the underground data-trading ecosystem.
Coordinated Global Action Against the Cybercrime Forum
The cybercrime forum dismantled operation involved law enforcement authorities from several countries, including Australia, Belgium, Canada, Germany, Greece, Malaysia, the Netherlands, Poland, Portugal, Romania, Spain, the United Kingdom and the United States.
On 3 March, authorities launched coordinated enforcement actions that included arrests, house searches and “knock-and-talk” visits targeting individuals suspected of being heavily involved in the forum’s activity.
Around 100 enforcement actions were conducted globally, with investigators focusing on 37 of the most active users of the platform.
The following day, authorities moved to the technical disruption phase of the operation. Investigators seized the forum’s domain and replaced the website with a law enforcement notice, effectively shutting down the platform and preventing further activity.
Officials say the investigation is now entering a prevention phase that aims to deter others from engaging in similar cybercrime operations.
Europol’s Role in Tracking the Forum
Europol analysts played a key role in the investigation by mapping the infrastructure of the LeakBase forum and analyzing user activity across the platform.
Investigators cross-matched the forum’s data with ongoing cases across Europe and other regions, helping identify suspects and connect digital evidence across multiple jurisdictions.
At Europol’s headquarters in The Hague, a dedicated operational data sprint brought together specialists to process the seized information quickly. A data scientist also supported the investigation by structuring millions of data points to generate actionable leads for law enforcement teams.
The operation was carried out within the framework of the Joint Cybercrime Action Taskforce (J-CAT), which supports international cybercrime investigations.
Anonymity in Cybercrime Is Often an Illusion
Authorities say the investigation also exposed how fragile anonymity can be within the cybercrime world. By seizing the forum’s database, investigators were able to identify and deanonymise several users who believed they were operating under complete anonymity.
In some cases, investigators contacted suspects directly through the same online channels that had been used to facilitate criminal activity.
Edvardas Šileris, Head of Europol’s European Cybercrime Centre, said the operation sends a clear signal to cybercriminals operating online.
“This operation shows that no corner of the internet is beyond the reach of international law enforcement. What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable. This is a clear message to cybercriminals everywhere: if you traffic in other people’s stolen information, law enforcement will find you and bring you to justice.”
Stolen Data Rarely Disappears
Investigators also warn that the shutdown of LeakBase highlights a broader reality about cybercrime. When organizations or individuals suffer a data breach, the stolen information often resurfaces on underground platforms where it can be reused for scams, phishing campaigns or identity theft.
While the cybercrime forum dismantled operation is a significant step, experts caution that similar marketplaces can quickly emerge to replace them.
For individuals, authorities emphasize the importance of basic cybersecurity hygiene, including using strong and unique passwords and enabling multi-factor authentication to reduce the risk of compromised accounts.
