Major Hub of Stolen Data and Large Phishing Operation Neutralized in Separate Takedown Efforts
LeakBase is an online marketplace where more than 142,000 members browse, buy, and sell stolen information, one of the largest known such networks in existence. Actually, it was such a marketplace before a global operation involving authorities in 14 countries took the site down this week.
“This is the third major criminal data forum we've taken down in four years, after RaidForums and BreachForums,” wrote Brett Leatherman, assistant director of the FBI’s Cyber Division, on LinkedIn. “The message is consistent: we will find you, we will dismantle the platforms you depend on, and we will impose real consequences.”
The operation was just one of two major, and successful, efforts to disrupt malicious online activity this week.
LeakBase. The site housed hundreds of millions of data records stolen from companies and individuals, including network credentials, bank account numbers, credit and debit card numbers, personal information such as birthdays and social security numbers, sensitive business information, network vulnerability information, and other sensitive records—all for sale and access from one cybercriminal to another.
Leatherman noted that while the site has been shut down, much of the data that was on it was still widely circulated. He recommended companies work to implement the FBI’s Winter SHIELD program, a set of strategies organizations can use to improve their cyber resilience.
Europol reported that more than 100 enforcement actions occurred worldwide on 3 March and actions specifically targeted 37 of the most active users of the platform. Search warrants, person-of-interest interviews, and arrests were made in Australia, Belgium, Poland, Portugal, Romania, Spain, the United Kingdom, and the United States.
Photo source: Europol
“This operation shows that no corner of the Internet is beyond the reach of international law enforcement,” said Edvardas Šileris, head of Europol’s European Cybercrime Centre, in a statement. “What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable. This is a clear message to cybercriminals everywhere: if you traffic in other people’s stolen information, law enforcement will find you and bring you to justice.”
Tycoon 2FA. In another major cybersecurity action this week, European governmental agencies and a group of security companies, which were spearheaded by Microsoft, dismantled Tycoon 2FA, a major vector for phishing attacks. The Tycoon 2FA platform “allowed low-skilled cybercriminals to bypass multifactor authentication and conduct large-scale adversary-in-the-middle attacks,” Cyberscoop reported.
Microsoft said the platform was responsible for tens of millions of phishing messages sent to more than 500,000 organizations worldwide.
“The phishing kit… was sold to cybercriminals on Telegram and Signal for $350 a month,” Cyberscoop reported. “The platform provided core components for phishing on a single dashboard that allowed cybercriminals to configure, track, and refine their campaigns.”
Microsoft and the Health-Information Sharing and Analysis Center had previously filed a civil complaint against the alleged creator of the platform. The court allowed Microsoft to seize the more than 300 domains that powered the platform, dismantling it.
In addition to Microsoft, Cloudflare, Coinbase, Intel471, Proofpoint, Shadowserver Foundation, SpyCloud, and Trend Micro assisted in the dismantling operation. Law enforcement from Latvia, Lithuania, Portugal, Poland, Spain, and the UK participated in the Europol coordinated operation.
“Cybercrime operates across borders, and effective response must do the same,” wrote Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit, in a blog post. “Disrupting Tycoon 2FA spanned multiple jurisdictions, underscoring why sustained, coordinated pressure is essential, especially as cybercrime becomes more scalable through automation and AI. … Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow‑on attacks such as data theft, ransomware, business email compromise, and financial fraud.”
