LeakBase Admin Arrested in Russia After Massive Stolen Credential Market Takedown
Russian law enforcement has arrested the alleged administrator of LeakBase, a cybercrime forum that investigators say became a major marketplace for stolen personal data. State media outlet TASS and MVD Media, a news site linked to Russia’s Interior Ministry, said the suspect is a resident of Taganrog and was detained for creating and running a criminal platform that has traded stolen databases since 2021.
What Investigators Said
According to Russian Interior Ministry spokesperson Irina Volk, the forum hosted “hundreds of millions of user accounts, bank details, usernames, and passwords, as well as corporate documents obtained through hacking.”
Volk said more than 147,000 users registered on the site, where people could buy and sell the data or use it to carry out fraud against citizens.
Authorities also said they seized technical equipment and other items of evidentiary value during the search of the suspect’s home.
LeakBase was not just a simple message board.
The platform operated openly in English and mixed marketplace features with discussion threads, letting cybercriminals trade leaked databases and so called stealer logs, which are collections of credentials stolen by infostealer malware.
The U.S. Department of Justice said the forum was one of the world’s largest hubs for criminals buying and selling stolen data and cybercrime tools.
It said the site contained hundreds of millions of account credentials and financial records, including credit and debit card numbers, banking account and routing information, usernames, and associated passwords that could be used in account takeover attacks.
The International Takedown
The Russian arrest comes after a broader international takedown.
In early March, the FBI seized the LeakBase domain at leakbase[.]la as part of “Operation Leak,” an effort coordinated by Europol and involving authorities from 14 countries.
Europol said that on March 3 law enforcement agencies carried out arrests, house searches, and about 100 interventions targeting 37 of the forum’s most active users.
The next day, officials seized the forum’s domain and replaced it with a seizure notice.
That notice told visitors that “all forum content, including users’ accounts, posts, credit details, private messages, and IP logs, has been secured and preserved for evidentiary purposes.”
Europol said specialists at its headquarters in The Hague analyzed the seized data and generated investigative leads, while the operation also used a Joint Command Post to share real time intelligence across borders.
In Europol’s account, the effort has now moved into a prevention stage focused on deterring cybercrime and raising awareness.
How Researchers Linked It
Researchers also helped connect the forum to an individual.
KELA and TriTrace Investigations linked LeakBase to an actor using the aliases Chucky, beakdaz, Chuckies, and Sqlrip, and said the person was likely a 33 year old from Taganrog.
After the original seizure, the forum briefly returned on a new domain, leakbase[.]bz, with DDoS protection provided by DDoS-Guard, according to information a TriTrace Investigations representative shared with The Hacker News.
Visitors then saw a message saying the forum had been permanently closed during a special operation by Russia’s Interior Ministry.
Why It Matters
For investigators, the LeakBase case shows how stolen data can keep moving long after an initial breach.
The DoJ said the forum’s contents could be abused for account takeovers, while Europol said the operation was designed to disrupt a marketplace that helped cybercriminals buy, sell, and exchange compromised information across borders.
Because marketplaces like LeakBase combine data sales with discussion threads, they can make it easier for thieves, brokers, and fraudsters to find one another, according to the DoJ’s description of the forum.
That is why the seizure notices matter: they do not just take down a domain, they also preserve evidence that can help investigators trace usernames, messages, and infrastructure back to real people.
#LeakBase #Cybercrime #DataBreach #StolenCredentials #Europol #FBI