8Base Ransomware Site Seized, Phobos Members Arrested in Thailand
Law enforcement has taken down the dark web leak site of 8Base, a major ransomware group, and arrested four suspected members of the associated Phobos operation in Thailand.
On February 10, 2025, 8Base’s data leak site was replaced with a banner displaying logos of 16 law enforcement agencies, including Europol, the FBI, and the UK’s National Crime Agency (NCA). The banner announced that the site had been seized by the Bavarian State Criminal Police Office on behalf of the Public Prosecutor General’s Office in Bamberg.
That same day, Thai news outlets reported the arrest of four European nationals in Phuket as part of Operation Phobos Aetor. The suspects are accused of stealing $16 million through ransomware attacks on over 1,000 victims worldwide and are believed to be members of the Phobos ransomware group, potentially linked to 8Base.
Thailand’s Cyber Crime Investigation Bureau (CCIB) led the operation, conducting coordinated raids across four locations. Authorities seized laptops, smartphones, and cryptocurrency wallets for forensic analysis.
8Base Used Phobos Decryptor
8Base emerged in March 2022 but gained attention in mid-2023 when it began leaking data from multiple victims.
The group, calling itself “pentesters,” showed advanced techniques, raising suspicions they could be a rebrand or composed of experienced hackers.
In June 2023, VMware noted similarities between 8Base and RansomHouse, such as ransom note styles and their leak site design, though a direct connection remains unconfirmed.
8Base targeted corporate networks, moving laterally while stealing data. Once they accessed the domain controller, they deployed the Phobos ransomware to encrypt devices.
Will Thomas, a SANS instructor and cyber threat analyst, explained that 8Base used Phobos ransomware-as-a-service (RaaS) rather than creating their own ransomware, modifying ransom notes to align with their branding.
For Further Reference