As part of an international operation in Thailand, 4 Russian hackers from one of the most active ransomware groups in 2024, 8base, were arrested. Servers and a darknet leak site were also seized.
As part of an international operation in Thailand, 4 Russian hackers from one of the most active ransomware groups in 2024, 8base, were arrested. Servers and a darknet leak site were also seized.
Four people who led the 8Base ransomware group were arrested last week. The individuals, all Russian nationals, are suspected of deploying a variant of the Phobos ransomware to extort significant sums of money from victims in Europe and beyond, Europol said .
The international operation, called Phobos Aetor, took place on the island of Phuket, Thailand, with the support of Europol and Eurojust and the participation of law enforcement agencies from 14 countries.
During the investigation, experts managed to warn a total of 240 companies from 30 countries about the encryption. Among them, about 55 American, 35 French, 25 Japanese and 18 German companies, according to the Bavarian police.
On Tuesday, the US Department of Justice announced charges against two suspects, 33-year-old Roman Berezhny and 39-year-old Yegor Nikolayovich Glebov, who are accused of running the 8base criminal organization, which “caused harm to public and private organizations by deploying the Phobos ransomware.”
The four suspects are accused of embezzling $16 million through attacks on 17 organizations in Switzerland.
Last year, the FBI warned that Phobos was being used to attack local governments, emergency services, healthcare facilities, and other critical infrastructure across the United States.
On Sunday, February 9, 2025, the IT infrastructure used by the 8Base group was seized and taken out of service by the Bavarian State Criminal Investigation Office. The Bamberg District Court had previously ordered the seizure of 115 servers. A further 15 servers were seized on the orders of the Bavarian Cybercrime Center. During the execution of the sentence, around 25 servers that were still actively used by the group were discovered and deactivated.
