In one of the largest coordinated cybercrime enforcement operations of 2026, international law enforcement authorities spanning 14 countries have seized and dismantled LeakBase, a major open-web forum specializing in the trade of stolen credentials, breached databases, and infostealer logs. The operation, designated Operation LEAK, was coordinated by Europol's European Cybercrime Centre (EC3) from The Hague and jointly led by the U.S. Department of Justice (DOJ), the FBI Salt Lake City Field Office, and the U.S. Attorney's Office for the District of Utah. Enforcement actions unfolded across March 3–4, 2026, encompassing approximately 100 enforcement actions worldwide, arrests, house searches, and "knock-and-talk" interventions targeting 37 of the forum's most active users.
What Was LeakBase?
Active since 2021, LeakBase operated as a hybrid forum and marketplace accessible on the open web and entirely in English, a deliberate design choice that lowered the barrier to entry compared to dark-web-only counterparts. By December 2025, the platform had amassed more than 142,000 registered users, approximately 32,000 posts, and over 215,000 private messages. The forum maintained a vast and continuously updated archive of breached databases including hundreds of millions of account credential pairs harvested through infostealer malware and high-profile corporate breaches. Available data included email and password combinations, credit and debit card numbers, banking account and routing information, and other personally identifiable information sufficient to facilitate account takeovers, identity theft, and fraud at scale. LeakBase operated with a credit-based economy and reputation-driven user ranking system that sustained consistent platform engagement. Notably, one of the forum's documented internal rules prohibited the sale or publication of data relating to Russia, a common feature among forums with suspected ties to Eastern European cybercrime ecosystems.
Enforcement Timeline: A Two-Phase Operation
The operational phase of Operation LEAK unfolded across two distinct stages consistent with Europol's established methodology for major cybercrime forum dismantlements:
- March 3, 2026, Enforcement Phase: Law enforcement in participating countries conducted synchronized arrests, house searches, and knock-and-talk interventions. Roughly 100 enforcement actions were executed globally targeting 37 of LeakBase's most active users. Search warrants were executed in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom.
- March 4, 2026, Technical Disruption Phase: Authorities seized LeakBase's domains and replaced them with an official law enforcement splash page. Confirmed seized domains included leakbase.co, leakbase.io, leakbase.ws, and leakbase.la. DNS records were redirected to ns1.fbi.seized.gov and ns2.fbi.seized.gov, first detected via passive DNS monitoring at approximately 11:45 AM UTC on March 4. The DOJ confirmed seizure of the forum's full database and two primary domains under court orders from the District of Utah under Title 18, United States Code, Sections 981 and 982.
Europol's Role: Data Sprint, J-CAT, and Joint Command Post
Europol's European Cybercrime Centre (EC3) provided the operational backbone for Operation LEAK. Analysts mapped LeakBase's full infrastructure and user activity, cross-matching data against ongoing investigations across Europe and beyond. An operational data sprint at Europol's headquarters brought together specialists to rapidly analyze seized data and identify high-value targets, supported by a dedicated data scientist who extracted and structured millions of data points into actionable investigative leads. The Joint Cybercrime Action Taskforce (J-CAT) coordinated the preparatory phase, while on action days Europol established a Joint Command Post enabling all 14 participating countries to share live intelligence updates in real time.
Legal Framework and DOJ Attribution
The DOJ's involvement was anchored by an affidavit unsealed on March 3, 2026. The FBI's Salt Lake City Field Office led the domestic investigation, with support from the FBI San Diego Field Office, Utah Department of Public Safety, and Provo Police Department. The case is prosecuted by Senior Counsel Matthew A. Lamberti of the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorneys Brent L. Andrus and Carl D. LeSueur for the District of Utah. The DOJ positioned Operation LEAK as a continuation of its campaign against major cybercriminal forums, citing the preceding dismantlements of RaidForums in 2022 and BreachForums in 2023, and the conviction and sentencing of BreachForums' founder in 2025.
Deanonymization and the Prevention Phase
A significant intelligence outcome is the seizure of LeakBase's complete internal database, including user accounts, posts, credit details, private messages, and IP logs, all secured for evidentiary purposes. Europol confirmed that the database enabled the deanonymization of multiple users who had operated under assumed anonymity, with law enforcement contacting suspects directly through the same online channels used to facilitate criminal activity. The operation has now entered a prevention phase. Individuals with information regarding LeakBase are directed to contact the FBI at FBI-SU-Leakbase@fbi.gov.
Intelligence Assessment
Operation LEAK represents a strategically significant enforcement action, signaling that open-web credential markets operating in English present an elevated law enforcement surface area compared to dark-web counterparts. The seizure of the full forum database creates a substantial ongoing investigative dividend, with additional arrests and prosecutions likely as investigators process the data. IntelFusions anticipates that displaced LeakBase users will migrate to successor platforms, consistent with the pattern observed following the RaidForums and BreachForums dismantlements. Organizations with data previously exposed on LeakBase should treat the risk of credential-based attacks as elevated in the near term.
This article is published for threat intelligence purposes. IntelFusions is not affiliated with any threat actor group. Claims described herein have not been independently verified unless explicitly stated.