Cybersecurity

LeakBase Dismantled: The 14-Country FBI-Europol Sting That Crushed the Web's Biggest Stolen-Data Bazaar

On March 3 and 4, 2026, law enforcement agencies across 14 countries hit a synchronized kill switch on LeakBase - a massive open-web hacker forum with 142,000 members and an archive of hundreds of millions of stolen credentials. Every account, every private message, every IP address: now in federal hands.

Credential markets like LeakBase funneled stolen data from corporate breaches directly into the hands of fraud operators and ransomware crews. Photo: Unsplash

The timing was precise. In the pre-dawn hours of March 3, 2026, federal agents in Salt Lake City, Utah executed a search warrant. At almost the same moment - coordinated down to the hour from Europol's headquarters in The Hague, Netherlands - police knocked on doors in Spain, Romania, Poland, Australia, Portugal, and the United Kingdom. In total, law enforcement officers in 14 countries moved simultaneously against a single target: LeakBase, the open-web hacking forum that had become the internet's most accessible black market for stolen credentials.

By the time most LeakBase members in North America woke up that morning, the site was gone. In its place: a federal seizure banner. Their private messages, IP addresses, account details, and transaction histories had been handed to prosecutors. Some of them were already receiving "prevention messages" from law enforcement - a warning shot that the government now knew exactly who they were.

The operation, announced publicly by the U.S. Department of Justice on March 4, represented one of the most expansive coordinated cybercrime takedowns in recent memory. It was also the third chapter in a years-long campaign against a specific genealogy of hacker forums - a succession of sites that, each time law enforcement kills one, spawns a successor.

What Was LeakBase

LeakBase wasn't hidden on a .onion address behind Tor. It operated on the open web, in English, accessible to anyone with a browser. That design choice was intentional - and it made it far more dangerous than typical dark-web marketplaces, which require technical knowledge to access and carry higher perceived risk for buyers.

The forum functioned as a layered marketplace. At the most basic level, users could browse and search an archive of compromised databases - the raw output from years of corporate data breaches. Someone hacks a company's user database; that data flows into LeakBase, where it gets verified, sorted, and sold in bulk.

But the merchandise went deeper than email-and-password dumps. According to the court affidavit unsealed by the District of Utah, LeakBase hosted:

• Credit and debit card numbers with associated CVV codes and billing addresses
• Bank account and routing numbers - direct pipeline to ACH fraud
• Username-and-password pairs from breaches at U.S. corporations
• Session tokens and authentication cookies enabling account takeovers without needing the password
• Personally identifiable information (PII) - Social Security numbers, dates of birth, physical addresses
• Combo lists - pre-compiled credential sets optimized for automated stuffing attacks

What distinguished LeakBase from a simple file-dump site was the community layer built on top of it. The forum's 215,000+ messages weren't just transaction records. Members discussed attack techniques, traded tools, reviewed breach quality, and - critically - helped each other monetize stolen data. It was less like eBay and more like a professional trade association for fraud operators.

The forum was "continuously updated," according to DOJ prosecutors - meaning it absorbed new breach data in near-real-time as major hacks occurred. When a company got breached, the credentials often appeared on LeakBase within days, sometimes hours. Members who paid for premium access could run queries against the database to check if specific email addresses had been compromised.

Credential theft forums function as a supply chain intermediary between hackers who breach companies and criminals who commit fraud - a division of labor that makes both activities more efficient. Photo: Unsplash

The Credential Economy: How Stolen Passwords Become Real Money

To understand why taking down LeakBase matters, you need to understand what stolen credentials actually do in the wild. The journey from a corporate data breach to a fraud loss often runs through exactly these kinds of marketplace forums, and it's more industrialized than most people realize.

Step one is the breach itself - a hacker exploits a vulnerability in a company's systems and exfiltrates the user database. This could be millions of records. The hacker either uses the data themselves or, more commonly, sells it to a broker or posts it on a forum like LeakBase.

Step two is validation. Automated tools called "credential checkers" or "combo validators" run through the stolen list and test which username-password pairs still work on high-value targets: Netflix, Amazon, bank logins, airline reward programs. The valid credentials are sorted into "hits" and sold at a premium.

Step three is monetization, which takes several forms. Account takeover (ATO) fraud is the most direct: log into a victim's bank account, PayPal, or retail account and drain it. More subtle is credential stuffing at scale - automated tools fire hundreds of thousands of login attempts per hour across dozens of platforms, collecting every successful access for later exploitation.

The really valuable play, though, is using compromised accounts as pivot points. A hacked email account gives access to password-reset emails for every other account linked to that address. A hacked corporate email account can be used for business email compromise (BEC) scams - fraudulent wire transfer requests that cost U.S. businesses billions annually.

"The takedown of this cyber forum disrupts a major international platform that cybercriminals use to obtain and profit from the theft of sensitive personal, banking and account credentials. This operation illustrates the strength of the United States and our international partners working across the globe to dismantle a critical cybercriminal forum." - A. Tysen Duva, Assistant Attorney General, DOJ Criminal Division, March 4, 2026

Then there's the ransomware connection. Ransomware operators frequently use credential theft as an initial access vector. They buy valid corporate VPN credentials from forums like LeakBase, log in as a legitimate employee, and move laterally through the network before deploying ransomware. The 2021 Colonial Pipeline hack - which caused fuel shortages across the U.S. East Coast - began with a single compromised VPN password. Investigators later found that password available on the dark web.

LeakBase sat at the center of this supply chain. It wasn't just a curiosity for script kiddies. It was operational infrastructure for organized cybercrime at scale.

The Genealogy: From RaidForums to BreachForums to LeakBase

The March 2026 LeakBase takedown is the third major operation against a specific family of English-language credential forums - and understanding that lineage is essential to understanding both the victory and its limits.

RaidForums was the original. Launched in 2015, it grew into the dominant English-language marketplace for stolen data. At its peak, RaidForums boasted over 500,000 members and hosted databases from some of the biggest hacks of the 2010s - billions of records from breaches at LinkedIn, Adobe, Comcast, and hundreds of others. In April 2022, the U.S. Department of Justice, working with Europol and law enforcement in 17 countries, seized RaidForums and arrested its founder, Diogo Santos Coelho, a 21-year-old Portuguese national, in the United Kingdom. Coelho was later extradited to the United States.

Within weeks of RaidForums' collapse, BreachForums emerged - built by a user who had been active on RaidForums and structured the new platform to fill the vacuum. BreachForums became even more prominent than its predecessor, briefly hosting the stolen data from the 2023 DC Health Link breach (which exposed the personal information of U.S. House of Representatives members) and the massive MOVEit transfer exploitation that compromised hundreds of organizations globally.

The DOJ arrested BreachForums founder Conor Brian Fitzpatrick - known online as "Pompompurin" - in March 2023. Fitzpatrick pleaded guilty to federal charges and was sentenced to three years in prison in 2025, one of the stiffest sentences handed down for operating a cybercrime forum in U.S. history.

The pattern is visible: each forum shutdown spawns a successor within weeks. The underlying demand - cheap, reliable access to stolen credentials - doesn't disappear when a forum does. It migrates. LeakBase's own emergence after BreachForums took fewer than six months. The question now is what fills the void LeakBase leaves behind.

Inside the Operation: 14 Countries, One Morning

Coordinating a simultaneous law enforcement operation across 14 sovereign nations is extraordinarily difficult. It requires months of legal preparation - mutual legal assistance treaties, extradition frameworks, evidence-sharing agreements - and the kind of operational security that prevents any single leak from tipping off the target.

The operation was anchored at Europol's headquarters in The Hague. Europol's role in international cybercrime operations has grown significantly over the past decade: the agency serves as a coordination hub, pooling intelligence from member nations and facilitating joint operations without needing to navigate bilateral agreements for each pair of countries involved.

The lead prosecution is being handled by the District of Utah - an unusual jurisdictional choice that reflects the FBI Salt Lake City Field Office's increasingly prominent role in cybercrime investigations. The same office has handled several major cybercrime cases in recent years, partly due to the presence of key personnel and partly due to favorable jury demographics for federal prosecution.

The operational sequencing mattered enormously. Law enforcement couldn't move against individual members in their home countries until the central infrastructure was seized - otherwise, administrators would see the arrests and immediately wipe the servers. The synchronized timing meant that by the time any member in Romania or Australia was woken up by police, the servers were already offline and the data was already in law enforcement custody.

What investigators seized is striking in its scope: not just the public forum content, but users' account details, private messages, credit card information used for premium memberships, and crucially, IP logs. Even users who thought they were hiding behind VPNs faced exposure - many commercial VPNs keep connection logs, and those logs can be subpoenaed separately. Users who paid for premium features with traceable payment methods had an additional layer of exposure.

"The FBI, Europol, and law enforcement agencies from around the world executed a takedown of LeakBase, one of the largest online cybercriminal platforms, seizing users' accounts, posts, credit details, private messages, and IP logs for evidentiary purposes. Together with our partners, we are sending a message that no criminal is truly anonymous online." - Brett Leatherman, Assistant Director, FBI Cyber Division

The "prevention messages" sent to members represent a relatively new law enforcement tactic - a warning to lower-level users that their identities are now known, intended to deter further criminal activity even without formal prosecution. With 142,000 members, the DOJ cannot realistically charge everyone. But the message sent to every registered user - "we know who you are" - is designed to chill participation in whatever forum emerges next.

What This Means for the 142,000 Members

The immediate question for anyone who had an account on LeakBase is: how exposed am I?

The honest answer is: significantly, and the degree of exposure depends entirely on what you did there. Law enforcement has now seized:

Your IP address at every login - unless you consistently used a Tor browser or a no-logs VPN that genuinely kept no records. Most commercial VPNs, despite their marketing, keep at least connection metadata. And if you ever logged in once without a VPN, your real IP is in the database.

Your private messages - the forum's messaging system is now fully readable by investigators. Any operational discussions, deals arranged, or data traded through private messages is evidence. This is where many forum prosecutions have found their most damaging material: members who were careful in public posts often spoke freely in private messages.

Payment information - anyone who paid for premium access via credit card or traceable payment method has directly linked their real identity to their forum account. Cryptocurrency payments offer some protection but are not fully anonymous, particularly if coins were acquired through a KYC exchange.

Your posting history - every post, every upload, every comment is now a permanent part of the government's evidence record. Context matters: users who only browsed are less exposed than users who actively traded data or posted tutorials on criminal techniques.

The DOJ has noted that in prosecutions stemming from RaidForums and BreachForums, the full sweep of arrests often took two to three years after the initial takedown. The government builds cases methodically, prioritizing the most active and most damaging members first. Low-level users who received only "prevention messages" may never face charges - but they also can never be certain of that.

The true scale of credential theft is measured in populations, not individuals. Hundreds of millions of stolen credentials on a single forum means a significant fraction of the internet's active users were exposed. Photo: Unsplash

The Whack-a-Mole Problem: Why This Keeps Happening

The hard truth that no DOJ press release will ever say directly: this will happen again.

The structural economics that created RaidForums, then BreachForums, then LeakBase are unchanged. Corporate data breaches continue at a pace that shows no sign of decreasing. The credentials generated by those breaches have real monetary value. And the internet provides essentially frictionless infrastructure for building new forums.

Building a credential marketplace doesn't require significant technical sophistication. Standard forum software (phpBB, XenForo, custom builds) can be stood up in days. The harder challenge is building trust and reputation among potential buyers and sellers - and that's where the genealogy of forums matters. Each time a major forum collapses, the displaced community carries its reputation metrics, its user relationships, and its operational knowledge to the next platform.

LeakBase emerged from BreachForums' collapse in roughly six months. The next forum - whatever it ends up being called - is likely already in development somewhere. Some members who saw the LeakBase takedown coming (or who were paranoid enough to plan for it) have already migrated to alternative platforms or private Telegram groups.

This is why law enforcement agencies increasingly focus not just on taking down forums but on prosecuting individuals - and specifically on making examples of administrators and power users. The founder of BreachForums got three years in federal prison. That's meaningfully longer than prior sentences for forum administration. The signal to potential successors is: the legal risk is increasing, not decreasing.

There's also an arms race in detection. Forum administrators have become increasingly sophisticated about operational security: using bulletproof hosting providers in jurisdictions with limited extradition treaties, segregating infrastructure across multiple countries, building in automatic data-destruction mechanisms that trigger if the admin goes offline for a defined period.

LeakBase's apparent vulnerability was operating on the clear web and presumably relying on hosting infrastructure that was accessible to Western law enforcement. A forum that operated purely through Tor, accepted only privacy-preserving cryptocurrency, and hosted in a jurisdiction completely hostile to Western requests would be substantially harder to take down - though also substantially harder for users to access and trust.

"Hiding behind a screen does not shield cybercriminals from accountability. This international operation demonstrates the strength of our global alliances and our shared commitment to disrupting platforms that facilitate the theft of data and the victimization of innocent people and organizations worldwide." - Robert Bohls, Special Agent in Charge, FBI Salt Lake City Field Office

The Broader Cybercrime Landscape This Week

The LeakBase takedown didn't happen in isolation. The same week, multiple other cybercrime developments underscored how intensely active the space remains.

The Proton Mail case - in which court records revealed that the privacy-focused email provider had disclosed payment metadata to Swiss authorities, who then passed it to the FBI in connection with a Stop Cop City activist account - demonstrated the limits of privacy guarantees even from ostensibly secure services. Proton's end-to-end encryption protected message contents, but the name and payment information of the account holder were accessible and disclosed. For cybercriminals who used email addresses from "privacy" services to register forum accounts, this is a significant warning: the weakest link is often payment and identity metadata, not content encryption.

Separately, security researchers continued tracking new activity from the "Kimwolf" botnet - a sophisticated botnet that has been targeting the I2P (Invisible Internet Project) anonymity network in what appears to be a deliberate attempt to disrupt an alternative to Tor. The "Starkiller" phishing service, documented this month, represents a novel technique: rather than hosting fake login pages, it proxies real login pages in real-time, capturing credentials and MFA codes as users enter them. The service bypasses even modern TOTP-based two-factor authentication, capturing the time-limited code before it expires.

These developments share a common thread: the technical sophistication of cybercrime infrastructure is increasing even as law enforcement capabilities expand. The credential theft ecosystem that LeakBase served is not going away. It is evolving.

What Comes Next: The Post-LeakBase Landscape

For law enforcement, the immediate priority is building prosecution cases against the most active LeakBase members identified through the seized data. The FBI Salt Lake City Field Office - which is also investigating with support from the San Diego office, the Utah Department of Public Safety, and the Provo Police Department - has a significant evidence trove to work through. Expect arrests over the next 12-24 months targeting specific high-value individuals.

For the cybercrime community, the calculus is shifting. Three major forum takedowns in four years - RaidForums (2022), BreachForums (2023), LeakBase (2026) - means that anyone building or administering a successor forum is doing so with clear historical evidence of how these operations end. Some actors will adapt: more Tor, more cryptocurrency, more operational compartmentalization. Others will migrate to private, invite-only channels that don't have the scale or the reputation problems of public forums but are also much harder to infiltrate.

For corporate security teams, the seized LeakBase data represents an intelligence opportunity. Law enforcement typically shares breach indicators with the private sector through channels like the FBI's InfraGard program and CISA's threat-sharing mechanisms. Organizations whose data appeared in LeakBase's archive may now learn details about breaches they didn't fully understand - which credentials were compromised, how they were packaged and sold, who bought them.

For ordinary people whose credentials were in LeakBase's database - and given "hundreds of millions" of records, that's a substantial fraction of the internet-using public - the practical advice is unchanged but newly urgent: use unique passwords for every service, enable hardware security keys or app-based MFA wherever possible, and monitor accounts for unusual activity. Password managers make unique passwords practical. Nothing makes credential stuffing attacks impossible, but raising the technical bar for each individual account limits the blast radius of any single breach.

The deeper structural problem remains unsolved. Corporate data breaches are the raw material of the credential theft economy, and U.S. corporations continue to store password databases in forms that make credential theft profitable. Truly secure password storage - long salted hashes using bcrypt or Argon2 - makes stolen password databases computationally expensive to crack. Many breached companies are not using these standards, which is why plaintext or weakly-hashed password databases keep appearing on forums like LeakBase.

Taking down the forum attacks the distribution layer. The production problem - companies getting hacked and losing credential data - requires a different intervention entirely.

The Bottom Line

LeakBase is gone. Its infrastructure is seized. Its data - including everything its members did there - is in the hands of prosecutors across 14 countries. This is a real win for law enforcement, and specifically a testament to the kind of sustained international coordination that has improved dramatically since the early years of cybercrime enforcement.

The DOJ's track record of prosecuting administrators (RaidForums' Coelho, BreachForums' Fitzpatrick) and now pursuing members with the seized LeakBase data creates real deterrence at the margins. Some people who would have joined a successor forum will now hesitate. Some forum administrators who might have considered building the next platform will calculate the risk differently.

But the credential economy itself isn't going away. Every corporate data breach generates new raw material. Every weak password reused across multiple services multiplies the damage. Every company that stores passwords in reversible or weakly-hashed formats hands the cybercrime ecosystem a gift.

The FBI and Europol have won a battle. The war between data security and data theft is structural, ongoing, and not won by forum seizures alone - however satisfying they look on a Tuesday morning when you visit a seized website and see a federal banner where a hacking marketplace used to be.

Watch the horizon. The next forum is already being built.