FBI and Europol dismantle ‘Leakbase’ cybercrime forum in massive 14-country sting

In a major victory against the underground trade of stolen identities, international law enforcement agencies led by the FBI and Europol successfully dismantled LeakBase, one of the world’s most prominent cybercrime marketplaces. The coordinated strike, dubbed "Operation Leak," concluded on March 4, 2026, resulting in the seizure of the forum’s domains and the deanonymization of its vast user base.

LeakBase has been active since 2021, and had grown into a central pillar of the cybercrime ecosystem, boasting over 142,000 registered members and serving as a primary hub for trading "stealer logs" - archives of credentials harvested via malware.

The takedown: A two-phase global strike

The operation was a textbook example of modern, synchronized law enforcement, involving authorities from the U.S., UK, Australia, Germany, Malaysia, and nine other nations.

• Phase 1: The human strike (March 3): Authorities executed approximately 100 enforcement actions worldwide. This included arrests, house searches, and "knock-and-talk" interviews targeting 37 of the forum’s most active users.

• Phase 2: Technical seizure (March 4): The FBI took control of the forum’s primary domains (including leakbase.la), replacing them with a seizure banner.

Unlike previous takedowns, police used the platform’s own internal messaging system to send "prevention messages" directly to members, warning them that their anonymity had been compromised.

In a critical breakthrough, the Malaysian Anti-Corruption Commission (MACC) raided a web hosting facility in Kuala Lumpur that was secretly housing the physical servers for LeakBase, securing millions of data points for evidentiary use.

Inside the LeakBase economy

LeakBase was more than just a message board; it was a sophisticated "criminal university" and bazaar that operated openly on the clear web.

At the time of its seizure, the forum contained over 215,000 private messages and a continuously updated database of hundreds of millions of credentials stolen from high-profile corporate breaches.

The site specialized in "stealer logs", files containing not just passwords, but browser cookies, autofill data, and system snapshots that allow hackers to bypass multi-factor authentication (MFA).

The "No Russia" rule

LeakBase maintained a strict internal rule prohibiting the sale or publication of any data related to Russia, likely an attempt by its administrators to avoid scrutiny from Russian authorities.

Intelligence gold mine

Law enforcement officials have emphasized that the shutdown is only the beginning. By seizing the entire backend database, investigators now have a "roadmap" of the global cybercrime landscape.

"Those who believed they could hide behind anonymity are being identified and held accountable," said Edvardas Šileris, Head of Europol’s European Cybercrime Centre. The FBI now possesses IP logs, transaction records, and private communications that link thousands of "shadowy" aliases to real-world identities across 47 countries.

Looking forward

The LeakBase takedown follows similar action against RaidForums (2022) and BreachForums (2023), suggesting that a repeatable, international "playbook" is now in place to prevent any single forum from becoming "too big to fail."