Threat Intelligence Law enforcement just took a massive swing at 8Base, one of the most aggressive ransomware groups in recent years. A coordinated operation between Thailand, Switzerland, and the U.S.
By: Tom Malka, Head of Research, RAKIA
Feb 10, 2025
Who Is 8Base?
If you haven’t been paying attention, 8Base operates like a ghost in the machine—a ransomware group known for its ruthless tactics, high-profile breaches, and sheer unpredictability. Emerging in mid-2022, they made waves by targeting businesses of all sizes with double extortion tactics—encrypting data and threatening public leaks if ransoms weren’t paid. The group deployed Phobos ransomware against 17 Swiss companies between April 30, 2023, and October 26, 2024. The operation has affected over 1,000 victims worldwide, causing damages estimated at $16 million (approximately 560 million baht). While the suspects are in custody with evidence, their identities remain undisclosed as investigations continue.
Their MO? They operated fast, loud, and highly opportunistic, targeting finance, legal, manufacturing, and tech sectors with precision.
Their ransomware? Built off RansomHouse and Phobos, borrowing the best of both to maximize damage.
Their victims? Thousands worldwide, including governments, enterprises, and critical infrastructure—no one was safe.
How Did Law Enforcement Take Them Down?
It wasn’t easy. 8Base thrived in the chaos, blending tactics from established ransomware groups while masking their origins. But law enforcement tracked their network, mapped their attack infrastructure, and moved in at the right time.
Thailand and Switzerland played a key role in coordinating arrests and seizing infrastructure, while U.S. cyber teams helped trace financial transactions linked to ransomware payments.
Why This Takedown Matters
8Base wasn’t just another gang—they represented a new breed of ransomware operators:
Brutal efficiency. They didn’t waste time with negotiations—either pay, or your data goes public.
Rapid deployment. They used pre-encrypted payloads, skipping the usual infection delay.
Anonymity. Even in the ransomware world, no one truly knew who was running 8Base—until now.
What Happens Next?
Ransomware doesn’t die—it evolves. With 8Base out of the picture, others will scramble to take their place.
Will more arrests follow?
Did the takedown compromise other ransomware groups?
And most importantly—who's next?
For now, 8Base is down—but the ransomware war is far from over.
Comments