LeakBase had over 142 000 registered users, now under investigation by law enforcement.
A major online forum for stolen data has been dismantled following an international operation coordinated by Europol.
The forum, known as LeakBase, had established itself as a central hub in the cybercrime ecosystem, specialising in the trade of leaked databases and so-called “stealer logs” – archives of stolen credentials harvested through infostealer malware. Accessible on the open web and operating in English, the platform combined elements of a forum and discussion board, enabling cybercriminals to buy, sell and exchange compromised data.
Between 3 and 4 March, coordinated actions across multiple jurisdictions severely disrupted the forum’s operations and targeted its most active users.
Edvardas Šileris
Head of Europol’s European Cybercrime Centre
This operation shows that no corner of the internet is beyond the reach of international law enforcement. What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable. This is a clear message to cybercriminals everywhere: if you traffic in other people’s stolen information, law enforcement will find you and bring you to justice.
A hub for stolen credentials
Active since 2021, LeakBase maintained a vast and continuously updated archive of breached databases, ranging from historical leaks to newly compromised data. The forum featured large volumes of credential pairs – including email and password combinations – and other access credentials used to facilitate account takeover, fraud and further cyber intrusions.
A credit-based economy and reputation-driven user system helped build trust among offenders and sustain a thriving underground forum. One of the forum’s notable internal rules prohibited the sale or publication of any data related to Russia.
By December 2025, LeakBase counted more than 142 000 registered users, approximately 32 000 posts and over 215 000 private messages, underlining its scale and global reach.
Global operational phase
On 3 March, law enforcement authorities carried out coordinated enforcement actions across multiple jurisdictions, including arrests, house searches and “knock-and-talk” interventions. Around 100 enforcement actions were conducted worldwide, including measures against 37 of the most active users of the platforms.
On 4 March, authorities moved to the technical disruption phase, seizing the forum’s domain and replacing it with a law enforcement splash page.
The operation now enters a prevention phase aimed at deterring further criminal activity and raising awareness of the consequences of engaging in cybercrime.
Europol’s support
Europol’s analysts mapped the forum’s infrastructure and user activity, cross-matching data with ongoing investigations across Europe and beyond. Sensitive information was exchanged securely via Europol, enabling investigators to connect suspects, victims and digital evidence across borders.
An operational data sprint at Europol’s headquarters in The Hague brought together specialists to rapidly analyse seized data and identify high-value targets. A dedicated data scientist supported the case, extracting and structuring millions of data points to generate actionable leads.
The partners have been working closely together within the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol to prepare for the final phase of the investigation.
On the action day, Europol set up and coordinated a Joint Command Post, allowing participating countries to share live updates and intelligence in real time as enforcement measures unfolded worldwide.
No one is invisible online
As part of the investigation, authorities seized the forum’s database. This enabled the deanonymisation of multiple users who believed they were operating anonymously. Law enforcement officers have engaged directly with several suspects through the same online channels used to facilitate criminal activity.
By contacting suspects through their preferred digital platforms, investigators delivered a clear message: no one is truly invisible online.
Law enforcement authorities proactively are continuing to trace digital trails to unmask additional offenders and establish their real-world identities.
This operation also serves as a warning to the public. When a company or an individual suffers a data breach, stolen information does not simply disappear – it often resurfaces on criminal platforms like this one, where it is reused for scams, identity theft, account takeovers or targeted phishing.
Protecting personal data remains essential. Using strong, unique passwords and enabling multi-factor authentication can significantly reduce the risks if information is exposed.
Authorities from the following countries took part in the investigation:
- Australia
- Belgium
- Canada
- Germany
- Greece
- Kosovo*
- Malaysia
- Netherlands
- Poland
- Portugal
- Romania
- Spain
- United Kingdom
- United States
(* This designation is without prejudice to positions on status, and is in line with UNSCR 1244/99 and the ICJ opinion on the Kosovo declaration of independence.)
The European Multidisciplinary Platform Against Criminal Threats (EMPACT) tackles the most important threats posed by organised and serious international crime affecting the EU. EMPACT strengthens intelligence, strategic and operational cooperation between national authorities, EU institutions and bodies, and international partners. EMPACT runs in four-year cycles focusing on common EU crime priorities.
