The Hague, 11 February 2025
A coordinated international law enforcement action last week has led to the arrest of four individuals leading the 8Base ransomware group. The individuals, all Russian nationals, are suspected of deploying a variant of Phobos ransomware to extort high-value payments from victims across Europe and beyond. At the same time, 27 servers linked to the criminal network were taken down. Threat intelligence identifies Phobos and 8Base as among the most active ransomware groups of 2024.
The crackdown follows a series of high-impact arrests targeting Phobos ransomware:
- An administrator of Phobos was arrested in South Korea in June 2024 and extradited to the United States in November of the same year. He is now facing prosecution for orchestrating ransomware attacks that encrypted critical infrastructure, business systems, and personal data for ransom.
- A key Phobos affiliate was arrested in Italy in 2023 on a French arrest warrant, further weakening the network behind this ransomware strain.
As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks.
This complex international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries. While some countries focused on the investigation into Phobos, others targeted 8Base, with several participating in both.
Europol played a critical role in bringing together intelligence from these separate investigations, enabling authorities to take down key actors from both ransomware networks in a coordinated effort.
Phobos: A discreet but highly effective ransomware
First detected in December 2018, Phobos ransomware has been a long-standing cybercrime tool, frequently used in large-scale attacks against businesses and organisations worldwide. Unlike high-profile ransomware groups that target major corporations, Phobos relies on high-volume attacks against small to medium-sized businesses, which often lack the cybersecurity defences to protect themselves.
Its Ransomware-as-a-Service (RaaS) model has made it particularly accessible to a range of criminal actors, from individual affiliates to structured criminal groups such as 8Base. The adaptability of this framework has allowed attackers to customise their ransomware campaigns with minimal technical expertise, further fuelling its widespread use.
Taking advantage of Phobos’s infrastructure, 8Base developed its own variant of the ransomware, using its encryption and delivery mechanisms to tailor attacks for maximum impact. This group has been particularly aggressive in its double extortion tactics, not only encrypting victims’ data but also threatening to publish stolen information unless a ransom was paid.
Europol’s coordinating role
With law enforcement efforts spanning multiple continents, Europol played a central role in connecting investigators and coordinating enforcement actions. Supporting the investigation since February 2019, Europol’s European Cybercrime Centre (EC3) has:
- Brought together intelligence from parallel investigations, ensuring that law enforcement authorities targeting Phobos and 8Base could pool their findings and coordinate arrests efficiently.
- Organised 37 operational meetings and technical sprints to develop key investigative leads.
- Provided analytical, crypto-tracing and forensic expertise to support the case.
- Facilitated intelligence exchange within the Joint Cybercrime Action Taskforce (J-CAT), hosted at its headquarters.
- Exchanged nearly 600 operational messages via Europol’s secure SIENA network, making this one of EC3’s high-priority cases.
Eurojust organised two dedicated coordination meetings to assist with the cross-border judicial cooperation and provided support with outstanding requests of all authorities involved.
The following authorities took part in the investigation:
- Belgium: Federal Police (Federale Politie / Police Fédérale)
- Czechia: Police of the Czech Republic (Policie České republiky)
- France: Paris Cybercrime Unit (Brigade de lutte contre la cybercriminalité de Paris – BL2C), Court of Paris – National Jurisdiction Against Organised Crime (Juridiction Nationale de Lutte contre la Criminalité Organisée – JUNALCO)
- Germany: Bavarian State Criminal Police Office (Bayerisches Landeskriminalamt – LKA Bayern), Bavarian Central Office for the Prosecution of Cybercrime (Generalstaatsanwaltschaft Bamberg – Zentralstelle Cybecrime Bayern)
- Japan: National Police Agency (警察庁)
- Poland: Central Cybercrime Bureau (Centralne Biuro Zwalczania Cyberprzestępczości)
- Romania: Romanian Police (Poliția Română)
- Singapore: Singapore Police Force CyberCrime Command
- Spain: Guardia Civil
- Sweden: Swedish Police Authority (Polisen)
- Switzerland: Office of the Attorney General of Switzerland (OAG), Federal Police (fedpol)
- Thailand: Cyber Crime Investigation Bureau (CCIB)
- United Kingdom: National Crime Agency (NCA)
- United States: US Department of Justice (US DOJ), Federal Bureau of Investigation (FBI – Baltimore Field Office), US Department of Defense Cyber Crime Center (DC3)
Soure – Europol