A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base’s dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide.
The arrested individuals, two men and two women, are Europeans who reportedly extorted $16,000,000 worth of Bitcoin from their victims over the years.
The police operation, codenamed “Phobos Aetor,” led to coordinated raids across four locations, where laptops, smartphones, and cryptocurrency wallets were seized for forensic analysis.
The arrests were made at the request of the Swiss authorities, who have asked the Thai government to extradite the suspects.
According to local media reports, the four hackers are said to have conducted ransomware attacks against at least 17 Swiss companies between April 2023 and October 2024.
During the attacks, the threat actors breached corporate networks to steal data and encrypt files. The threat actors then demanded payments in cryptocurrency to provide the decryption keys and prevent the public release of data.
The ransom payments were laundered on cryptocurrency mixing platforms, making it harder for law enforcement to track their final wallet.
8Base dark web sites seized
Today, the dark web sites for the 8Base ransomware operation were also seized in what appears to be the same operation.
The 8Base ransomware gang’s negotiation and data leak sites now show a seizure message stating, “THIS HIDDEN SITE HAS BEEN SEIZED. This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg.”
The seizure message also indicates that “Operation Phobos Aetor” involved Thailand, Romania, Bavaria, Germany, Switzerland, Japan, USA, Europol, Czechia, Spain, France, Belgium, and the United Kingdom
BleepingComputer has confirmed that both the 8Base operation’s data leak and negotiation sites were seized as part of the global law enforcement operation.
Source: BleepingComputer
8Base is a ransomware group that launched in March 2022, staying relatively quiet until June 2023, when it suddenly began leaking data for many victims.
Describing themselves as simple “pentesters,” the ransomware gang’s activities and sophistication indicated that they were possibly a rebrand of another operation or comprised of experienced hackers.
VMware reported that the gang shares many similarities with RansomHouse, including the style of the ransom notes and the data leak site, but it has not been confirmed they are the same group.
Like other ransomware operations, 8Base would breach corporate networks and quietly spread laterally through devices while stealing corporate data. When they gained access to the domain controller, the threat actors would encrypt devices using the Phobos ransomware encryptor.
When encrypting files, the ransomware appends either the .8base or .eight extension to encrypted files.
During this process, ransom notes are created that demand a ransom payment ranging between hundreds of thousands of dollars to millions in return for a decryption key and the promise to delete and not publish stolen data.
In 2023, the United States Department of Health and Human Services warned that the 8Base operators were targeting organizations worldwide, including those in the healthcare sector.
“According to the group’s attacks, 8Base mostly targets SMB companies based in the United States, Brazil, and the United Kingdom. Other affected countries include Australia, Germany, Canada, and China, amongst others. Notably, no ex-Soviet or CIS countries have been targeted,” explains the HHS bulletin.
“While no known correlation to Russia or other Russian-speaking RaaS groups or affiliates exists, this geographic exclusionary pattern is a hallmark for many Russian-speaking threat actors.”
Some high-profile victims of the ransomware gang include Nidec Corporation, a Japanese tech giant with a revenue of $11 billion, and the United Nations Development Programme (UNDP).