In a significant breakthrough against global cybercrime, Thai authorities announced today the arrest of four European nationals linked to the notorious 8Base ransomware group.
The operation, codenamed “Phobos Aetor,” culminated in the seizure of the group’s dark web infrastructure and the apprehension of two men and two women accused of orchestrating ransomware attacks that affected over 1,000 victims worldwide.
The suspects, whose identities remain undisclosed, were arrested in coordinated raids across four locations in Phuket. The Cyber Crime Investigation Bureau (CCIB), led by Police Lieutenant General Trairong Phiwphan, conducted the operation in collaboration with Immigration Police and Region 8 Police.
The arrests were made following urgent requests from Swiss and U.S. authorities, who had issued Interpol warrants for the suspects.
Evidence Seized and Charges Filed
During the raids at Mono Soi Palai, Supalai Palm Spring, Supalai Vista Phuket, and Phyll Phuket x Phuketique Phyll residences, law enforcement officials confiscated over 40 items of evidence, according to Thai Media reports.
These included laptops, mobile phones, and cryptocurrency wallets believed to contain proceeds from ransomware payments. The suspects now face charges of conspiracy to commit wire fraud and offenses against the United States.
The group is accused of deploying Phobos ransomware, a variant used by 8Base to compromise corporate networks globally. Between April 2023 and October 2024 alone, they allegedly targeted 17 Swiss companies.
Their modus operandi involved breaching networks to steal sensitive data, encrypting files, and demanding cryptocurrency payments for decryption keys. Victims who refused to pay were threatened with public exposure of their stolen data.
Authorities estimate that the group’s activities caused damages exceeding $16 million (approximately 560 million baht).
The ransomware attacks primarily targeted small to medium-sized businesses across industries such as healthcare, manufacturing, and finance. The United States, Brazil, and the United Kingdom were among the most affected countries.
The 8Base group employed a “double extortion” strategy, encrypting data while simultaneously threatening to leak it on their dark web portal if ransoms were not paid. To obscure their tracks, they utilized cryptocurrency mixing services to launder payments.
The arrests mark a milestone in international law enforcement cooperation. The operation involved agencies from multiple countries, including Switzerland, Germany, Japan, Romania, and the United States. Europol also played a critical role in coordinating efforts across jurisdictions.
As part of the crackdown, Thai authorities confirmed that both the negotiation and data leak sites operated by 8Base on the dark web have been seized. Visitors to these sites now encounter a seizure notice from German authorities on behalf of Bavarian prosecutors.
The 8Base ransomware group first emerged in March 2022 but gained notoriety in mid-2023 for its aggressive tactics. Using Phobos ransomware as its primary tool, the group leveraged phishing emails and other vulnerabilities to gain initial access to victims’ systems. The malware encrypted files using AES-256 encryption while appending a “.8base” extension.
Despite branding themselves as “penetration testers,” claiming to expose organizational negligence regarding data security, experts have consistently identified financial motives behind their operations. The group also drew comparisons with other ransomware collectives like RansomHouse due to similarities in tactics.
While the suspects are currently in custody in Thailand, extradition requests from Switzerland and the United States are under consideration. Investigators are now analyzing seized devices to uncover further details about their operations and potential accomplices.
This high-profile takedown underscores growing international resolve to combat ransomware threats. Authorities hope that dismantling groups like 8Base will serve as a deterrent to other cybercriminal organizations operating on a global scale.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free