International law enforcement dismantled the 8Base ransomware group, arresting four suspects in Thailand and seizing its infrastructure after over 1,000 global attacks.
A multinational law enforcement effort has successfully taken down the negotiation and data leak sites of the 8Base ransomware group. Authorities arrested four individuals, two men and two women at different locations in Phuket, Thailand. The suspects now face charges of conspiracy to commit an offense against the United States and conspiracy to commit wire fraud. Officials seized mobile phones, laptops, and digital wallets during the operation.
8Base first emerged in March 2022, operating under the radar until mid-2023, when it began leaking data from its ransomware attacks. Security researchers linked 8Base to the RansomHouse ransomware group due to similarities in their tactics, though it remains unclear whether the same individuals were involved in both operations.
The group was responsible for over 1,000 ransomware attacks globally, with healthcare organizations among the victims. The U.S. Department of Health and Human Services (HHS) flagged 8Base as a threat in late 2023, particularly for targeting small and mid-sized businesses with weak cybersecurity defenses. Using phishing emails, exploit kits, and drive-by downloads, the group breached networks, deployed Phobos ransomware, and encrypted files with extensions such as .8base or .eight.
Despite not securing massive individual ransom payments, 8Base operated at high volume, collecting more than $16 million in ransom payments. The majority of its victims were in the United States, United Kingdom, and Brazil. Like many ransomware operations, the group used double extortion tactics, demanding payment both for file decryption and to prevent the public release of stolen data. The attackers then laundered payments through cryptocurrency mixing services.
The law enforcement operation, dubbed Operation Phobos Aetor, involved multiple agencies, including the U.K. National Crime Agency (NCA), the FBI, Europol, and law enforcement agencies from 11 countries, including Germany, Switzerland, and Thailand. Authorities have taken down 27 servers and seized 8Base’s infrastructure, replacing its sites with seizure notices from the Bavarian State Criminal Police Office. Europol also identified over 400 potential victims and warned them of ongoing or imminent attacks.
Swiss authorities initiated the arrests, requesting that the Thai government extradite the suspects to face charges related to ransomware attacks on 17 Swiss companies between April 2023 and October 2024. Europol confirmed that all four arrested individuals are Russian nationals.
The takedown of 8Base proves that cybercriminals are never beyond reach. Ransomware groups rely on anonymity and fragmented law enforcement efforts to stay ahead, but international agencies are closing those gaps. Dismantling infrastructure, arresting those responsible, and exposing their methods weaken the foundation of these operations. Every successful takedown raises the stakes for cybercriminals, making ransomware a riskier and less lucrative enterprise. The fight continues, but coordinated efforts are turning the tide against organized cybercrime.
Ransomware operators can be charged with conspiracy, wire fraud, computer fraud, and money laundering, often leading to extradition and long prison sentences.
Agencies like Europol, the FBI, and national crime units share intelligence, track cryptocurrency transactions, and execute simultaneous arrests across multiple countries.
Many groups share tools, tactics, and even personnel, making it difficult to distinguish between separate operations and successor groups.
Law enforcement typically dismantles servers, analyzes digital evidence, and replaces ransomware sites with seizure notices to deter future attacks.
In some cases, authorities recover decryption keys or seize ransom payments, but victims are generally advised to restore data from backups rather than pay ransoms.