Four individuals suspected of being the leaders of the 8Base ransomware group have been arrested by Thai police for their involvement in stealing approximately $16 million from over 1,000 victims targeted with the Phobos ransomware. The arrests were made in Phuket on February 10 as part of ‘Operation PHOBOS AETOR’, led by Police Lieutenant General Trairong Phiwphan and involving officers from the Cyber Crime Investigation Bureau, Immigration Police, and Region 8 Police.
The suspects, two men and two women, were apprehended following the issuance of Interpol warrants at the request of Swiss and United States’ authorities. During the operation, mobile phones, laptops, and digital wallets were seized. Additionally, on the same day, the 8Base leak site was taken down by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor in Bamberg, Germany.
According to Europol, the arrested individuals are Russian nationals who held leadership positions within the 8Base ransomware group. The international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries. While some focused on investigating Phobos, others targeted 8Base, with several participating in both efforts. As a result of this coordinated operation, over 400 companies worldwide were alerted to potential ransomware attacks.
The Phobos ransomware, first identified in December 2018, has been commonly used in large-scale cyber assaults against small to medium-sized businesses globally. Its Ransomware-as-a-Service (RaaS) model has made it easily accessible to various criminal actors, including structured groups like 8Base. Leveraging Phobos’s infrastructure, 8Base created its own ransomware variant, utilizing encryption and delivery mechanisms to enhance the impact of their attacks. The group was known for its aggressive double extortion tactics, threatening to publish stolen data unless ransom demands were met.
Throughout 2023, the 8Base ransomware group was highly active, aligning with the decline in Phobos activity in 2024. Speculation suggests a possible connection between the two groups, with shared affiliates or operators. The periods of inactivity experienced by both groups were believed to be linked to law enforcement interventions affecting their operations. Despite this, 8Base managed to victimize several entities in December 2024, such as the Croatian port operating company Luka Rijeka, Canadian firm Mint Pharmaceuticals, and Japanese manufacturer Iseki Agricultural Machinery.
The crackdown on the 8Base ransomware group and the subsequent arrests of its leaders mark a significant victory in the fight against cybercrime. With law enforcement agencies collaborating on a global scale, efforts to dismantle major ransomware operations continue to yield results, safeguarding businesses and individuals from digital threats. The coordination and swift action demonstrated in this case underscore the importance of international cooperation in combating cybercriminal activities.