The 8Base ransomware group’s infrastructure has been disrupted and leaders have been arrested in an international law enforcement operation, Europol announced today.

Since Monday, the gang’s Tor-based leak site has been displaying a seizure banner informing visitors that authorities had taken it down, but no official announcement was made until Tuesday, when Europol confirmed the law enforcement action.

“This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg,” a banner on the site reads.

On Tuesday, Europol announced the takedown of 27 servers and the arrest of four Russian nationals believed to have led the 8Base gang, using the Phobos ransomware in attacks against hundreds of victims worldwide.

The investigation into Phobos, Europol says, started in 2019, and previously led to the arrest of an affiliate in 2023, and of an administrator in 2024. The administrator, Evgenii Ptitsyn, 42, of Russia, was extradited to the US in November and charged for his role in the ransomware operation.

“This complex international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries. While some countries focused on the investigation into Phobos, others targeted 8Base, with several participating in both,” Europol notes.

Operating under the ransomware-as-a-service (RaaS) model, Phobos has been active since 2018, and is estimated to have been used in attacks against over 1,000 organizations worldwide. The ransomware’s operators extorted more than $16 million from their victims.

The 8Base gang emerged in 2022, and had claimed over 80 victims by June 2023, when it was the second most active ransomware group. Security researchers observed it using multiple ransomware variants in attacks, but its modus operandi showed similarities with RansomHouse and Phobos.

“Taking advantage of Phobos’s infrastructure, 8Base developed its own variant of the ransomware, using its encryption and delivery mechanisms to tailor attacks for maximum impact. This group has been particularly aggressive in its double extortion tactics,” Europol says.

Law enforcement agencies in Belgium, the Czech Republic, France, Germany, Japan, Poland, Romania, Singapore, Spain, Sweden, Switzerland, Thailand, the UK, and the US participated in the takedown.

The four alleged 8Base leaders, two men and two women, were arrested in Phuket, Thailand, as part of ‘Operation Phobos Aetor’, according to reports. Authorities also conducted searches at four locations and seized mobile phones, laptops, and digital wallets.

Related: Ransomware Payments Dropped to $813 Million in 2024

Related: Record Number of Ransomware Attacks in December 2024

Related: Ransomware Groups Abuse Microsoft Services for Initial Access

Related: UK Considers Banning Ransomware Payment by Public Sector and CNI