For years, stolen databases and hacked credentials have circulated through forums where cybercriminals trade data almost as casually as files on a message board. One of the largest of those hubs, the LeakBase forum, has now been dismantled after an international law enforcement operation coordinated by Europol.
Authorities from 14 countries carried out an operation that resulted in the seizure of the forum’s domains, the collection of its backend data, and enforcement actions against suspected users and operators. Investigators also executed search warrants, made arrests, and interviewed individuals linked to the platform across several jurisdictions, including the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom.
According to the US DoJ’s press release, the operation targeted the infrastructure behind LeakBase, a long-running cybercrime forum that specialized in distributing stolen databases and credential logs. Law enforcement replaced the site with a seizure notice while investigators secured the platform’s internal records, including user accounts, private messages, payment details, and IP logs that may help identify participants.
A hub for stolen data and credential trading
LeakBase, not to be confused with now defunct LeakBase.pw service, functioned as a marketplace where cybercriminals could buy, sell, or freely share compromised datasets. Many of those datasets contained usernames, passwords, financial records, and other forms of personal and corporate data obtained through breaches or malware campaigns.
Over time, the forum built a massive archive of hacked information that included hundreds of millions of credentials taken from high-profile breaches affecting companies and individuals. These datasets were frequently used to support account takeover attacks, fraud schemes, and further network intrusions.
Unlike many cybercrime platforms that operate only on dark web networks, LeakBase was accessible on the open web and ran primarily in English. That accessibility helped it attract a global user base and allowed even inexperienced actors to browse leaked datasets or purchase stolen information.
According to Europol’s press release, by late 2025, investigators estimate the forum had more than 142,000 registered members, along with tens of thousands of posts and private messages exchanged between users.
How LeakBase emerged after earlier forum takedowns
The rise of LeakBase did not happen in isolation. In fact, its growth followed a pattern seen repeatedly in the cybercrime underground, which is when one forum disappears, another quickly appears to take its place.
After law enforcement dismantled major platforms such as RaidForums and later disrupted BreachForums, many traders and data brokers looked for alternative venues to continue selling stolen information. LeakBase gradually became one of those destinations.
The forum first appeared around 2021 and quickly focused on hosting massive collections of breached data and so-called “stealer logs,” files generated by infostealer malware that harvest credentials from infected systems.
To maintain activity and trust among users, the site used a reputation system and a credit-based model where members could earn standing by sharing data or participating in transactions. That structure helped sustain a busy community built around trading compromised information.
One unusual rule reportedly enforced on the forum prohibited users from posting data related to Russia, a restriction that has appeared on several cybercrime platforms operating in the same pattern.
Inside the international investigation
The takedown followed months of investigative work involving digital forensics, intelligence sharing, and coordinated enforcement across multiple countries.
Authorities carried out around 100 enforcement actions worldwide, targeting dozens of the forum’s most active users. These actions included arrests, house searches, and “knock-and-talk” visits intended to identify individuals who used the platform for cybercrime activity.
Europol supported the investigation by mapping the forum’s infrastructure and linking activity on the platform with ongoing cybercrime investigations across Europe and other regions. Analysts at the agency also helped process seized data and connect digital evidence with suspects and victims.
Seizing the forum’s database was a particularly valuable step for investigators. The data includes internal communications and user records that could help law enforcement deanonymize individuals who believed their activity on the platform was hidden.
Another strike against cybercrime marketplaces
The shutdown of LeakBase adds to a series of coordinated international operations targeting online platforms that enable cybercrime. Earlier today, Europol also announced the dismantling of the infamous Tycoon 2FA phishing kit and its infrastcuture including seizing over 300 domains.
This shows the law enforcement agencies have changed their focus from individual hackers to the services that support large-scale criminal activity, including forums, malware marketplaces, and phishing infrastructure. Removing these platforms disrupts the supply chains that allow stolen data and attack tools to circulate.
However, the history of underground forums suggests replacements often appear quickly. Communities built around trading stolen information tend to regroup on new platforms after a takedown.
Waqas
