FBI and Europol seize LeakBase, a 142,000-member hub for stolen passwords, in global crackdown

The FBI and Europol have knocked one of the internet’s busier password bazaars offline—then walked out with the receipts.

LeakBase, a cybercrime forum accused of selling stolen logins, “stealer logs,” and hacking tools, now shows a law-enforcement seizure banner. Investigators say they didn’t just pull the plug: they captured the site’s database, private messages, and IP address logs—exactly the kind of digital paper trail that can turn anonymous usernames into real-world suspects.

The takedown was part of a coordinated international effort dubbed “Operation Leak,” involving authorities across more than a dozen countries. Officials say the operation led to 13 arrests, 32 searches, interviews with 33 suspects, and roughly 100 law-enforcement actions worldwide, including steps targeting the forum’s 37 most active users.

A major cybercrime marketplace goes dark

By the numbers, LeakBase wasn’t a niche hangout. Authorities describe it as one of the larger online forums catering to cybercriminals, with more than 142,000 registered members, over 33,000 discussion threads, and more than 215,000 private messages exchanged.

Investigators also point to what they say was a constantly updated trove of compromised credentials—hundreds of millions of usernames and passwords—along with other sensitive data that can fuel account takeovers, fraud, and broader network intrusions.

How the FBI pulled off the domain takeover

The key move, officials say, was technical control. The FBI redirected LeakBase’s domain to servers under government control, so anyone typing in the address no longer reached a forum or marketplace—just a seizure notice.

That kind of switch looks simple from the outside. In practice, it typically requires synchronized legal orders, cross-border coordination, and careful timing to prevent administrators from disappearing with backups or shifting infrastructure before investigators can preserve evidence.

Europol—the European Union’s law-enforcement agency that coordinates major cross-border investigations—said partners in 14 countries took part. The goal wasn’t just to shut a website, but to disrupt the ecosystem around it, including hosting and other supporting infrastructure.

Why the seized data matters more than the shutdown

Cybercrime forums have a habit of respawning under new names. That’s why investigators emphasized what they say they preserved: user accounts, forum content, subscription-related payment information, private messages, and IP logs.

For law enforcement, that’s a map of relationships and behavior—who dealt with whom, who vouched for which seller, who moderated disputes, and who moved the most product. Private messages are often where the real business happens: negotiating prices, sharing “samples,” proving access, and arranging payment.

IP logs and metadata can be even more valuable. One slip—logging in without a VPN, using a familiar device, keeping consistent hours—can help investigators connect online activity to a person, a location, or a broader network.

“Premium” access, real-world traces

LeakBase operated on a paid-access model, according to publicly released details, with some users paying a one-time fee of a few hundred dollars for “premium” access. That kind of paywall is common in criminal marketplaces: it weeds out casual lurkers and creates the illusion of a private club.

But monetization also creates trails—accounts, transactions, and technical identifiers—that can become evidence once a platform is seized.

Europol said LeakBase specialized in “stealer logs,” data bundles harvested by malware designed to siphon saved passwords, browser cookies, and session tokens. In plain terms: they can let criminals hijack email, social media, cloud services, and crypto accounts—sometimes even after a victim changes a password.

A global sweep—with arrests outside the U.S.

The operation stretched across countries including the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom, with infrastructure actions reportedly spanning from the Netherlands to Malaysia.

One detail stood out: a senior FBI cyber official, Brett Leatherman, said the investigation took years and was led out of the FBI’s Salt Lake City office—yet no arrests were reported on U.S. soil.

That’s a reminder of how these cases often work. The FBI can lead and coordinate, but arrests and searches frequently happen where suspects live, with local authorities executing warrants under their own laws.

Why stolen-password markets keep booming

Stolen credentials remain one of the cheapest, most reliable ways into someone else’s digital life. A password can unlock email, shopping accounts, workplace systems, and cloud storage—then cascade into bigger compromises through password reuse and account recovery links.

And “stealer” malware makes the business even more efficient by grabbing not just passwords, but cookies and tokens that can keep access alive. For companies, a single compromised VPN or Microsoft 365 login can be the front door to a costly breach.

LeakBase may be offline, but the demand that built it isn’t going away. The bigger question is what investigators can do with the seized data—whether it leads to more arrests, more infrastructure takedowns, and a clearer picture of the people who profit from the internet’s endless supply of reused passwords.