Key Findings

• Russian authorities arrested the alleged administrator of LeakBase, a major cybercrime marketplace operating since 2021

• The suspect, a resident of Taganrog, is accused of running a platform with over 147,000 users trading stolen data and credentials

• LeakBase was dismantled in early March 2024 through "Operation Leak," a coordinated international effort involving 14 countries

• The forum hosted hundreds of millions of compromised account credentials, financial information, and corporate documents

• Technical equipment and evidence were seized during a search of the suspect's residence

• A criminal case has been opened and the suspect remains in custody

Background

LeakBase emerged as one of the largest cybercrime hubs in the world, operating openly on the clearnet since 2021. The platform specialized in trading leaked databases and "stealer logs" containing credentials harvested by infostealer malware. It functioned as both a marketplace and discussion forum, enabling cybercriminals to buy, sell, and exchange compromised data in English. The forum attracted over 147,000 registered users who conducted more than 215,000 transactions, making it a central hub in the cybercrime ecosystem.

International Takedown Operation

In early March, law enforcement agencies from 14 countries coordinated "Operation Leak" to dismantle LeakBase. The FBI seized the primary domain, while Europol provided critical support by mapping the forum's infrastructure and analyzing user activity across borders. On March 3, authorities conducted simultaneous actions worldwide, including approximately 100 interventions targeting 37 of the most active forum users. The Joint Cybercrime Action Taskforce and a Joint Command Post facilitated real-time intelligence sharing during the operation. Within 24 hours, investigators replaced the seized domain with an official law enforcement seizure notice.

Scale of Compromised Data

The platform contained hundreds of millions of user accounts with associated sensitive information. This included bank details, usernames, passwords, credit and debit card numbers, banking account and routing information, and corporate documents obtained through hacking. The sheer volume of data made LeakBase a critical infrastructure point for identity theft, account takeovers, phishing campaigns, and fraud operations worldwide.

The Alleged Administrator

The arrested suspect, identified as a 33-year-old from Taganrog, operated under multiple online aliases including Chucky, beakdaz, Chuckies, and Sqlrip. Intelligence firms KELA and TriTrace Investigations linked these identities to the individual before Russian authorities made the arrest. The suspect maintained the platform's technical operations while managing the user base and marketplace functions.

Ongoing Investigation and Prevention

Authorities seized the complete LeakBase database, allowing investigators to deanonymize users who believed they operated anonymously. Law enforcement contacted suspects through the same criminal channels they used, demonstrating that online anonymity has significant limitations. Investigators continue tracing digital evidence to identify additional offenders involved in the operation. The prevention phase now focuses on deterring cybercrime and raising awareness about the dangers of stolen data.

Resurfacing of the Platform

Days after the seizure, LeakBase reappeared on the domain leakbase[.]bz with DDoS protection from DDoS-Guard, a Russian bulletproof hosting provider. However, visitors encountered a Russian Ministry of Internal Affairs notice stating the forum was permanently closed and warning that illegal computer activities carry criminal liability under Russian law.

Sources

• https://securityaffairs.com/189994/cyber-crime/russian-authorities-arrest-alleged-leakbase-admin-behind-stolen-data-marketplace.html

• https://thehackernews.com/2026/03/leakbase-admin-arrested-in-russia-over.html

• https://www.facebook.com/thehackernews/posts/%EF%B8%8F-russia-has-arrested-the-alleged-admin-of-leakbase-a-major-cybercrime-forum1470/1326780239486556/

• https://www.instagram.com/p/DWUdPUPE18J/

• https://www.cypro.se/2026/03/25/leakbase-admin-arrested-in-russia-over-massive-stolen-credential-marketplace/

• https://x.com/TweetThreatNews/status/2036986524915388686