Law enforcement has seized the dark web leak site of 8Base, a prominent ransomware group, and arrested four alleged members of the related Phobos operation in Thailand.
On February 10, 2025, the data leak site of 8Base was no longer available. Instead, users could find a banner showing 16 law enforcement agencies, including Europol, the FBI and the UK’s National Crime Agency (NCA).
The banner also displayed a message which said: “This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg.”
8BASE has been seized by law enforcement.
8Base is a ransomware group that surfaced in March 2022 and has grown into a notable threat in the cybercrime landscape. pic.twitter.com/QB6WIChZu8
— FalconFeeds.io (@FalconFeedsio) February 10, 2025
The same day, news outlets in Thailand reported on the arrest of four European citizens in Phuket as part of Operation Phobos Aetor.
The quartet is accused by Thai authorities of stealing $16m through ransomware attacks on over 1000 victims worldwide. They are believed to be members of the Phobos ransomware group, which was likely tied to 8Base.
Thailand’s Cyber Crime Investigation Bureau (CCIB) led the operation, which included coordinated raids across four locations where laptops, smartphones and cryptocurrency wallets were seized for forensic analysis.
The CCIB said Swiss and US authorities had issued warrants for the arrest of the four individuals.
Thai local media reports indicate that the four hackers allegedly carried out ransomware attacks on at least 17 Swiss companies between April 2023 and October 2024.
8Base Used Phobos Decryptor
8Base emerged in March 2022 but was first identified in the summer of 2023 when it began leaking data from numerous victims.
The group, which refers to itself as simple “pentesters,” displayed a level of sophistication suggesting they might be a rebrand of another operation or composed of seasoned hackers.
In June 2023, security company VMware noted that 8Base shares many characteristics with RansomHouse, such as the style of ransom notes and the design of their data leak site, though it’s not confirmed they are the same entity.
8Base infiltrated corporate networks, moving laterally across devices while exfiltrating corporate data. Upon reaching the domain controller, they would deploy the Phobos ransomware encryptor to lock down devices.
Speaking to Infosecurity, Will Thomas, SANS instructor and cyber threat intelligence analyst, explained: “Phobos was a ransomware-as-a-service (RaaS) that was used by the 8Base gang, who operated their own leak site but decided not to create their own ransomware and just use the Phobos binary. They can change the ransom note to appear as though it is 8Base ransomware.”
In November 2024, Evgenii Ptitsyn, a 42-year-old Russian national, was extradited from South Korea and indicted in the US on suspicion of administering Phobos ransomware’s sale, distribution, and operation.
Europol told the press that more information on the law enforcement operation would be released on February 11.
Infosecurity has contacted the NCA and Europol for comment but we have not received a response at the time of publication.
