All your 8Base are belong to us: Ransomware crew busted in global sting – Source: go.theregister.com

An international police operation spanning the US, Europe, and Asia has shuttered the 8Base ransomware crew’s dark web presence and resulted in the arrest of four European suspects accused of stealing $16 million from more than 1,000 victims worldwide.

The 8Base ransomware group has been active since 2022. Bavarian police seized the gang’s dark web portal, as spotted by a security researcher on Monday. Both Europol and the UK’s National Crime Agency (NCA) have confirmed to The Register that they have been involved in the police action.

“The NCA has played a supportive role on this,” a NCA spokesperson told us. Europol said that it would be releasing more information on Tuesday at 1400 CET, and the FBI and Bavarian authorities have yet to reply to requests for comment.

Thai police showed local media the four arrested European suspects after coordinated raids in Phuket. The arrests netted over 40 pieces of evidence, including phones, cryptocurrency wallets, and laptops, they said.

Swiss and US authorities have reportedly requested the suspects’ extradition but had no comment at the time of publication. The suspects are wanted on charges including conspiracy to commit an offense against the United States and conspiracy to commit wire fraud, according to reports.

The Thai arrests were part of “Operation Phobos Aetor,” which some believe hints at a connection between 8Base and the Phobos ransomware crew. Phobos’ operations took a hit after its IT admin was cuffed last year and extradited to the US, but some researchers believe the group has ties to 8Base.

8Base claimed to have targeted German carmaker Volkswagen – although the auto giant didn’t seem too concerned about what they’d managed to steal.

• Another banner year for ransomware gangs despite takedowns by the cops
• How cops taking down LockBit, ALPHV led to RansomHub’s meteoric rise
• Change Healthcare registers pulse after crippling ransomware attack
• Stanford University failed to detect ransomware intruders for 4 months

The 8Base ransomware group was technically established in 2022, but its leak site didn’t go live until May 2023. It ranked among the top new ransomware operators that year. Security researchers are now monitoring for signs of the gang re-emerging under a new alias or operation.

Some researchers speculated that the shutdown of 8Base’s site might have been an exit scam, with the operators pretending to be taken down so they could vanish with their loot. Ransomware gang ALPHV allegedly tried this last year, briefly going dark before rebranding and continuing its operations. However, confirmation from police that they were involved makes an exit scam unlikely. ®