A major international police operation has resulted in the arrest of two individuals suspected of carrying out ransomware attacks worldwide. The operation also led to the takedown of dark web platforms associated with a notorious cybercrime group.
Suspects Arrested in Thailand
Law enforcement authorities apprehended two Russian nationals in Phuket, Thailand, accusing them of orchestrating cyberattacks on businesses and institutions across multiple countries. Reports suggest that their activities led to financial losses amounting to millions of dollars, with ransom payments made in cryptocurrency.
The investigation was conducted in collaboration with Swiss authorities, who have requested the extradition of the suspects. Officials believe that these individuals were behind ransomware attacks on at least 17 Swiss organizations between April 2023 and October 2024.
How the Cyberattacks Were Carried Out
The hackers allegedly infiltrated computer networks, encrypting crucial data and demanding payment in digital currency in exchange for restoration. Victims who refused to pay faced the risk of having their sensitive information leaked online.
Authorities revealed that the attackers used Phobos ransomware, a type of malicious software designed to lock files and prevent access unless a ransom is paid. Over time, the hackers are believed to have amassed around $16 million from their victims.
To make tracking difficult, the ransom payments were processed through cryptocurrency mixing services, which obscure transaction details and the final destination of funds.
Dark Web Platforms Shut Down
In a simultaneous effort, law enforcement agencies also took control of websites used by the 8Base ransomware group. These platforms functioned as communication hubs where cybercriminals engaged with victims, demanded ransoms, and published stolen data when their demands were not met.
Now, visitors attempting to access these sites see a law enforcement notice confirming that they have been seized. The operation was an international effort, with agencies from Europe, the United States, and Asia working together to dismantle the group's online infrastructure.
Who Are the 8Base Hackers?
The 8Base cybercriminal group surfaced in early 2022 but remained relatively unnoticed until mid-2023, when they intensified their ransomware operations. While they publicly identified themselves as "ethical hackers" conducting penetration testing, cybersecurity experts argue that their activities were anything but legal.
Some researchers suspect that 8Base could be linked to an older ransomware group, as their ransom notes and data leak strategies resemble those used by another criminal organization. However, this connection has yet to be verified.
How Their Ransomware Worked
Once inside a company's system, these hackers moved through different devices, gaining deeper access to networks. Their ultimate goal was to control the central system managing all devices. When they achieved this, they deployed Phobos ransomware, encrypting files and appending .8base or .eight extensions to the locked data.
Victims would then receive a ransom note demanding a payment, sometimes reaching millions of dollars — to restore access and prevent public data leaks.
Cyberattacks like these have severe financial and operational consequences for businesses, hospitals, and governments. In 2023, authorities warned that 8Base was increasingly targeting healthcare organizations, raising concerns over the security of sensitive medical records.
This recent crackdown represents a substantial step in combating ransomware threats, but experts warn that cybercriminals are constantly developing their tactics.
