News: 1739225713

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

All your 8Base are belong to us: Ransomware crew busted in global sting

(2025/02/10)


An international police operation spanning the US, Europe, and Asia has shuttered the 8Base ransomware crew's dark web presence and resulted in the arrest of four European suspects accused of stealing $16 million from more than 1,000 victims worldwide.

The 8Base ransomware group has been active since 2022. Bavarian police seized the gang's dark web portal, as [1]spotted by a security researcher on Monday. Both Europol and the UK's National Crime Agency (NCA) have confirmed to The Register that they have been involved in the police action.

"The NCA has played a supportive role on this," a NCA spokesperson told us. Europol said that it would be releasing more information on Tuesday at 1400 CET, and the FBI and Bavarian authorities have yet to reply to requests for comment.

[2]

8Base dark web site shuttered. Source cR0w - Click to enlarge

Thai police [3]showed local media the four arrested European suspects after coordinated raids in Phuket. The arrests netted over 40 pieces of evidence, including phones, cryptocurrency wallets, and laptops, they said.

Swiss and US authorities have reportedly requested the suspects' extradition but had no comment at the time of publication. The suspects are wanted on charges including conspiracy to commit an offense against the United States and conspiracy to commit wire fraud, according to reports.

[4]

The Thai arrests were part of "Operation Phobos Aetor," which some believe hints at a connection between 8Base and the Phobos ransomware crew. Phobos' operations took a hit after its [5]IT admin was cuffed last year and extradited to the US, but some researchers believe the group has ties to [6]8Base .

[7]

8Base claimed to have targeted German carmaker Volkswagen - although the auto giant [8]didn't seem too concerned about what they'd managed to steal.

[9]Another banner year for ransomware gangs despite takedowns by the cops

[10]How cops taking down LockBit, ALPHV led to RansomHub's meteoric rise

[11]Change Healthcare registers pulse after crippling ransomware attack

[12]Stanford University failed to detect ransomware intruders for 4 months

The 8Base ransomware group was technically established in 2022, but its leak site didn't go live until May 2023. It ranked among the [13]top new ransomware operators that year. Security researchers are now monitoring for signs of the gang re-emerging under a new alias or operation.

Some researchers speculated that the shutdown of 8Base's site might have been an exit scam, with the operators pretending to be taken down so they could vanish with their loot. Ransomware gang ALPHV allegedly [14]tried this last year, briefly going dark before rebranding and continuing its operations. However, confirmation from police that they were involved makes an exit scam unlikely. ®

Get our [15]Tech Resources



[1] https://cyberplace.social/@cR0w@infosec.exchange/113980139202151093

[2] https://regmedia.co.uk/2025/02/10/8base.jpg

[3] https://www.khaosodenglish.com/news/2025/02/10/thai-swiss-us-operation-nets-hackers-behind-1000-cyber-attacks/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z6qFCiqfLBQIO550D_9jUwAAARE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://www.theregister.com/2024/11/19/suspected_phobos_admin/

[6] https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/?utm_source=chatgpt.com

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z6qFCiqfLBQIO550D_9jUwAAARE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/10/16/volkswagen_ransomware_data_loss/

[9] https://www.theregister.com/2025/01/31/banner_year_for_ransomware_gangs/

[10] https://www.theregister.com/2024/12/28/lockbit_alphv_disruptions_ransomhub_rise/

[11] https://www.theregister.com/2024/03/08/change_healthcare_restores_first_system/

[12] https://www.theregister.com/2024/03/13/stanford_university_ransomware/

[13] https://www.theregister.com/2024/02/06/akira_and_8base_new_ransomware_research/

[14] https://www.theregister.com/2024/03/08/change_healthcare_restores_first_system/

[15] https://whitepapers.theregister.com/



"...The name of the song is called 'Haddocks' Eyes'!"
"Oh, that's the name of the song, is it?" Alice said, trying to
feel interested.
"No, you don't understand," the Knight said, looking a little
vexed. "That's what the name is called. The name really is, 'The Aged
Aged Man.'"
"Then I ought to have said "That's what the song is called'?"
Alice corrected herself.
"No, you oughtn't: that's quite another thing! The song is
called 'Ways and Means': but that's only what it is called you know!"
"Well, what is the song then?" said Alice, who was by this
time completely bewildered.
"I was coming to that," the Knight said. "The song really is
"A-sitting on a Gate": and the tune's my own invention."
-- Lewis Carroll, "Through the Looking Glass"