LeakBase Forum Seized in Global Operation Targeting Stolen Data Market

A coordinated international law enforcement operation has dismantled LeakBase, one of the internet’s most prominent marketplaces for stolen credentials, replacing its homepage with a seizure notice. Visitors to the site are now greeted with a banner stating that the domain has been confiscated by the Federal Bureau of Investigation (FBI), marking the culmination of a targeted crackdown on a platform that facilitated large-scale cybercrime.

The takedown, part of an action codenamed Operation Leak, removed a major hub used by criminals to trade hacked databases, financial information, and cybercrime tools. According to the U.S. Department of Justice, the forum boasted over 142,000 members and contained more than 215,000 messages prior to its seizure in March 2026.

Background and Context

Operating on the clearnet and accessible entirely in English, LeakBase had served as a critical infrastructure for the illicit economy since its launch in June 2021. The platform specialized in the sale of "stealer logs"—archives of data harvested by infostealer malware—which included usernames, passwords, and banking details used to facilitate account takeovers and fraud.

Unlike many underground forums that operate without restrictions, LeakBase implemented specific rules to manage its risk profile. A report published by Flare in April 2023 noted that the platform explicitly prohibited users from selling or publishing databases originating from Russia. Analysts suggest this policy was likely intended to minimize scrutiny from Russian authorities and maintain the site's operational security.

Key Figures and Entities

Investigations by cybersecurity firms have traced the administration of LeakBase to a threat actor known as "Chucky," who also utilized monikers such as Chuckies, Sqlrip, and beakdaz across various underground networks. According to analysis by SOCRadar, this individual has a documented history of sharing vast collections of sensitive data from global entities.

Further OSINT analysis by Kela and TriTrace Investigations has linked the Chucky persona to a specific individual. Investigators connected the alias "beakdaz" and associated contact details to Artem Kuchumov, a 33-year-old Russian national from Taganrog. Other key personnel identified on the platform included moderators known as BloodyMery, OrderCheck, and TSR.

Legal and Financial Mechanisms

LeakBase functioned by monetizing the theft of digital identities, offering hundreds of millions of account credentials for purchase. The commercialization of stealer logs allowed lower-skilled criminals to purchase access to compromised financial accounts without conducting the intrusions themselves.

To disrupt this flow, authorities executed search warrants, made arrests, and conducted interviews across eight countries, including the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K. The FBI confirmed that all forum content—including user accounts, posts, credit details, private messages, and IP logs—has been secured for evidentiary purposes, potentially allowing investigators to identify and prosecute the platform's clientele.

International Implications and Policy Response

The operation against LeakBase highlights the growing capability of international law enforcement to target centralized clearnet havens for cybercrime. Europol announced that approximately 100 enforcement actions were conducted globally, including specific measures against 37 of the platform's most active users.

However, the takedown also illustrates the resilience of these digital markets. Just days after the seizure, the forum resurfaced on a new domain, "leakbase[.]bz," signaling the ongoing challenge of permanently eradicating these networks. The rapid migration underscores the need for sustained international pressure and improved information sharing to prevent the reconstitution of illicit marketplaces under new management.

Sources

This report draws on public statements by the U.S. Department of Justice and Federal Bureau of Investigation, press releases from Europol, and industry analysis from Flare, SOCRadar, SpyCloud, Kela, and TriTrace Investigations.