8Base ransomware site taken down as Thai authorities arrest 4 connected to operation

The leak site for the 8Base ransomware gang was taken down Monday and replaced with a banner by multiple law enforcement agencies. 

The takedown notice was posted hours after news outlets in Thailand reported on the arrest of four people allegedly involved in the ransomware operation. 

When asked for comment, a spokesperson for Europol told Recorded Future News that it “is supporting an international operation against a ransomware group,” but declined to offer more information, saying more would be released on Tuesday. Logos for the FBI, the U.K,’s National Crime Agency and federal police agencies from countries including Germany, the Czech Republic and Switzerland were on the takedown banner, in addition to Europol’s emblem.

The takedown notice says, “This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg.”

Both offices and the FBI did not respond to requests for comment about the operation. 

8Base is a relatively new ransomware operation that ramped up its activity in the summer of 2023. The group claimed responsibility for high-profile attacks on the United Nations Development Programme and the Atlantic States Marine Fisheries Commission as well as a Canadian agency that administers dental benefit plans for disabled people in Alberta.

Researchers from VMware previously said that while the group was new, its speed and efficiency “do not indicate the start of a new group but rather signify the continuation of a well-established mature organization.” Other researchers tied 8Base to ransomware operations including RansomHouse and Phobos. 

Recorded Future ransomware expert Allan Liska said 8Base is an example of ransomware actors improving their capabilities and skills over time. 

“When they first started, the code overlap with Phobos was close to 100%. But, as they have received ransom payments they’ve invested that money into improving the code, so now the code overlap with Phobos is significantly less,” he said. 

Phuket arrests

The news of the takedown coincided with reports from Thailand about the arrest of four suspects in Phuket, a tropical tourist destination in the south. Thai officials called the operation “PHOBOS AETOR” and said four Europeans were arrested under accusations that they stole $16 million through ransomware attacks on more than 1,000 victims around the world. 

The suspects — two men and two women — were not named, but Thailand’s Cyber Crime Investigation Bureau said Swiss and U.S. authorities had issued warrants for their arrest. 

Raids were conducted across four locations in Phuket, Thai police said, adding that the suspects now face several U.S. charges of wire fraud and conspiracy. There were also Interpol warrants, according to Thai news outlet Khaosod.

The four are accused of attacking 17 Swiss companies and using cryptocurrency mixing services to launder the funds received through ransom demands. 

Liska said 8Base typically targeted manufacturing companies and also focused its efforts on attacking the U.S. and the Netherlands. 

In November, the Justice Department indicted Russian national Evgenii Ptitsyn for his role in Phobos after he was extradited from South Korea. Several researchers noted at the time of his arrest that 8Base activity decreased following his extradition.

The takedown comes after several high-profile ransomware gang disruptions that appear to have had tangible impacts on the amount of ransoms paid in 2024. 

Following law enforcement takedowns of major gangs like LockBit and AlphV/BlackCat, 2024 saw a 35% dip in extortion payments compared to 2023 — dropping from $1.25 billion to $812.55 million last year. 

“We saw a strong law enforcement presence targeting ransomware groups in 2024 and it is great to see this continue into 2025,” Liska said. “Sustained law enforcement action appears to be one of the best ways to slow down ransomware attacks.”