A coordinated law enforcement operation spanning 14 countries has dismantled LeakBase, one of the world's largest online forums for the trade of stolen data and cybercrime tools. The U.S. Department of Justice (DOJ) and Europol announced the takedown on March 4, 2026, following two days of synchronized raids, arrests, and technical seizures that knocked the forum offline and replaced it with a law enforcement splash page.
The operation marks the latest in a series of increasingly aggressive international actions against cybercriminal marketplaces, following the disruption of RaidForums in 2022, BreachForums in 2023, and the conviction and sentencing of the BreachForums founder in 2025.
LeakBase had been active since 2021 and had grown into what Europol described as "a central hub in the cybercrime ecosystem." Operating on the open web and in English, the forum specialized in the trade of leaked databases and so-called "stealer logs"—archives of stolen credentials harvested through infostealer malware. By December 2025, the platform had amassed more than 142,000 registered users, approximately 32,000 posts, and mor than 215,000 private messages.
The forum maintained a vast, continuously updated archive of hacked databases, including credentials from high-profile breaches, totaling hundreds of millions of account records. According to the DOJ, available data included credit and debit card numbers, bank account and routing information, usernames and passwords, and other sensitive personal and business information. A credit-based internal economy and reputation system helped sustain trust among users. One notable internal rule, highlighted by Europol, prohibited the sale or publication of any data related to Russia.
The takedown unfolded in three phases. On March 3, law enforcement authorities carried out enforcement actions across multiple jurisdictions, including arrests, house searches, and "knock-and-talk" interventions. According to Europol, roughly 100 enforcement actions were conducted worldwide, with measures specifically targeting 37 of the forum's most active users. Search warrants and arrests were executed in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom.
On March 4, authorities entered the technical disruption phase, seizing the forum's database and its two domains and replacing the site with a seizure banner. A third phase—focused on prevention and deterrence—is now underway, with law enforcement sending warning messages to LeakBase members and continuing to trace digital trails to identify additional offenders.
In a striking detail, investigators contacted suspects directly through the same online channels the suspects had used for criminal activity—a deliberate move intended to demonstrate that anonymity on such platforms is illusory.
U.S. and European officials used the announcement to send a blunt message to cybercriminals. Assistant Attorney General A. Tysen Duva of the DOJ's Criminal Division said the takedown "disrupts a major international platform that cybercriminals use to obtain and profit from the theft of sensitive personal, banking, and account credentials," adding that the Criminal Division would continue to leverage international partnerships to protect victims.
U.S. Attorney Melissa Holyoak of the District of Utah, which is prosecuting the case, called it a demonstration of "extraordinary cooperation with our international partners," and pledged that her office "remains steadfast in our commitment to investigate and seek justice for Americans who are targeted by individuals attempting to hide behind foreign borders."
FBI Assistant Director Brett Leatherman of the Cyber Division emphasized the evidentiary haul, noting that authorities seized "users' accounts, posts, credit details, private messages, and IP logs." He added, "No criminal is truly anonymous online."
From the European side, Edvardas Šileris, head of Europol's European Cybercrime Centre, said the operation showed that "no corner of the internet is beyond the reach of international law enforcement," warning that those "who believed they could hide behind anonymity are being identified and held accountable."
Europol played a central coordinating role throughout the investigation. Its analysts mapped the forum's infrastructure and user activity, cross-matching data with ongoing investigations across Europe and beyond. A dedicated data scientist helped structure millions of data points into actionable leads. On the day of the operation, Europol established a Joint Command Post at its headquarters in The Hague, enabling participating countries to share live updates in real time. The work was carried out under the Joint Cybercrime Action Taskforce (J-CAT).
The LeakBase takedown is the third major disruption of a cybercrime forum in four years, following RaidForums and BreachForums. The pattern suggests that international law enforcement has developed a repeatable playbook for infiltrating, mapping, and dismantling these platforms—and that successor forums can expect to face the same fate. The DOJ noted that its Computer Crime and Intellectual Property Section has secured convictions of more than 180 cybercriminals since 2020, and obtained court orders for the return of more than $350 million in victim funds.
Europol used the occasion to remind the public that data stolen in breaches does not simply disappear—it resurfaces on platforms like LeakBase, where it fuels scams, identity theft, account takeovers, and targeted phishing. Both agencies urged individuals and organizations to use strong, unique passwords and to enable multi-factor authentication for all accounts.
The operation involved law enforcement authorities from Australia, Belgium, Canada, Germany, Greece, Kosovo, Malaysia, the Netherlands, Poland, Portugal, Romania, Spain, the United Kingdom, and the United States. The FBI Salt Lake City Field Office led the U.S. investigation, with support from the FBI San Diego Field Office, the Utah Department of Public Safety, and the Provo Police Department. The case is being prosecuted by the DOJ's Computer Crime and Intellectual Property Section and the U.S. Attorney's Office for the District of Utah.
Anyone with information regarding LeakBase is asked to contact the FBI at FBI-SU-Leakbase@fbi.gov.