FBI seizes LeakBase cybercrime forum used to trade stolen data

International law enforcement agencies shut down a major cybercrime marketplace and obtained data tied to more than 142,000 users.

What happened

The Federal Bureau of Investigation seized the cybercrime forum LeakBase during a coordinated international law enforcement operation involving agencies from 14 countries. According to BleepingComputer, authorities disrupted the platform on March 3 and 4 by seizing its domains and replacing them with a notice informing users that investigators had taken over the site. Law enforcement preserved the forum’s database, including user accounts, posts, private messages, and IP logs, as evidence while conducting arrests, house searches, and other investigative actions across multiple jurisdictions, including the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom.

Going deeper

LeakBase had grown into a major cybercrime forum after earlier underground marketplaces shut down. Active since 2021, the site reportedly attracted more than 142,000 members and operated as a marketplace for stolen databases, hacking tools, software exploits, and cybercrime services. The platform also used an escrow system, meaning it temporarily held payments to ensure transactions between buyers and sellers were completed. In addition to selling stolen data, the forum hosted discussions on programming, social engineering tactics that trick people into revealing information, cryptography used to hide communications, and operational security practices used by threat actors to avoid detection. Law enforcement later replaced the site’s domain servers with systems controlled by the Federal Bureau of Investigation, allowing investigators to seize the website infrastructure and preserve evidence connected to the forum’s activity.

What was said

A seizure banner posted on the LeakBase domain warned users that investigators had secured the forum’s data for use in ongoing cases. The notice stated, “All forum content, including users' accounts, posts, credit details, private messages, and IP logs, has been secured and preserved for evidentiary purposes.” The message further warned that “attempts to access, alter, or interfere with this site may result in additional criminal offenses,” confirming that authorities had obtained the forum’s internal records as part of the investigation.

In the know

The FBI has also stepped up enforcement against cybercrime infrastructure, recently seizing the RAMP cybercrime forum, a platform used by ransomware groups to advertise services, recruit affiliates, and trade access to compromised networks. Both its Tor site and clearnet domain were replaced with a federal seizure notice, and domain records now point to law enforcement-controlled servers. Investigators believe the takedown could provide access to user messages, registration data, and activity logs, potentially exposing members who relied on the forum to coordinate ransomware operations.

The big picture

The takedown of LeakBase follows a pattern of international law enforcement operations targeting large cybercrime forums that serve as marketplaces for stolen data and hacking tools. Europol has previously coordinated operations that dismantled platforms such as RaidForums and BreachForums, both of which played major parts in distributing breached databases and facilitating cybercrime services. These coordinated disruptions typically combine domain seizures, arrests, and evidence collection to dismantle infrastructure and identify users involved in criminal activity, while also sending a deterrence message to participants in underground marketplaces.

FAQs

What was LeakBase used for?

LeakBase functioned as an online marketplace where cybercriminals could buy and sell stolen databases, hacking tools, and other illicit services.

How many users were affected by the seizure?

Authorities stated that the forum had more than 142,000 members and that the platform’s database was secured during the operation.

What type of evidence did investigators collect?

The seized database includes account information, posts, private messages, payment details, and IP logs associated with forum activity.

Was this a US-only investigation?

No. The operation involved international cooperation among law enforcement agencies across multiple countries, coordinated through Europol.

Why do law enforcement agencies target cybercrime forums?

Forums often act as central marketplaces where threat actors exchange tools, data, and services. Disrupting them can expose users, interrupt criminal activity, and support future investigations.