Alleged members of the 8Base ransomware group have been arrested in Thailand, shuttering the group’s operations as part of a coordinated effort between Thai cyber police and international authorities in Phuket on Monday.
The 8Base ransomware group, active since 2022, had its servers seized by Bavarian cyber police in collaboration with Thai police, Europol, the US, Switzerland, France, Romania, Japan, the Czech Republic, the UK, and others.
Taking place in Phuket, Thailand, authorities there arrested four suspected members of the ransomware group for carrying out attacks on at least 17 Swiss firms between April 30th, 2023, and October 26th, 2024, local Thai news outlet The Nation reported on Monday.
The suspected hackers – two men and two women, all Russian nationals – are accused of “causing significant damage and stealing $16 million in bitcoin from 1,000 global victims,” the Nation said in its report.
The US Justice Department (DoJ) has charged two of the hackers by name, 33-year-old Roman Berezhnoy and 39-year-old Egor Nikolaevich Glebov, accusing the duo of carrying out a spate of ransomware attacks from May 2019 through at least October 2024.
According to US court documents, Berezhnoy and Glebov are charged not only with running the 8Base ransomware group, but others as well, including another operation known as "Affiliate 2803.”
“The hackers demanded cryptocurrency payments for decryption keys and threatened to publish stolen data if ransoms weren’t paid. They also used cryptocurrency mixing services to obscure transaction trails,” according to a report by Khaosod English, another local news outlet.
Nicknamed “Operation PHOBOS AETOR,” the Commissioner of the Thai Cyber Crime Investigation Bureau, Police Lt. General Trairong Phiewpha, told local news that authorities and local immigration had carried out searches at four different locations for the unnamed individuals, based on warrants from the US and Swiss governments and Interpol.
During the raid, cyber police were said to have seized over 40 items of evidence, “including laptop computers, smartphones, and digital wallets.”
In parallel arrests carried out this week by the FBI, Europol, and Germany, the DoJ announced that over 100 servers associated with the criminal network were also disrupted.
Phobos Ransomware Affiliates Arrested in Coordinated International Disruption
undefined Criminal Division (@DOJCrimDiv) February 11, 2025
Phobos Group Alleged to have Attacked Over 1,000 Victims Worldwide
🔗: https://t.co/vpdi7QkUz1 pic.twitter.com/xPaaNMDo34
DoJ officials say the two men each face an 11-count indictment, including wire fraud conspiracy, conspiracy to commit computer fraud and abuse, intentional damage to protected computers, extortion, transmitting a threat to impair the confidentiality of stolen data, and unauthorized access and obtaining information from a protected computer.
If convicted, the two face a maximum prison sentence of 5 to 20 years on each of the various counts, the DoJ said. All four suspects are expected to be extradited to Switzerland, reported Khaosod English.
8Base ransomware attacks targeted at least 1000 victims
8Base, marked by NCC Group threat researchers as the second busiest ransomware gang in the first half of 2023, is a known double extortionist group and a consistent user of the Phobios ransomware variant.
The cybersecurity firm, which first did a deep dive on the gang in May 2023, said 8Base not only made it into the “top ten most active threat actors that month, but also took the second position accounting for 15% (67) of all attacks” that took place. (Only the infamous LockBit group outshined the gang that May with a recorded 78 victims.)
Commonly targeting smaller businesses, including those from the technology, manufacturing, agricultural, transportation, and financial sectors, the gang of self-proclaimed “honest and simple pentesters” appears to have had one successful last push on January 3rd of this year, posting a handful of victims on their still showing active Telegram channel.
The victims' data, including Brazil’s luxury linen manufacturer Grupo Buddemeyerl, French law firm Voltaire Avocats, and the Swiss branch of global geophysical monitoring specialists SolGeo AG Baugelogie and Geotechnik, were allegedly posted on the 8Base leak site on January 13th, 2025.
No other victims have been posted by the gang since January 3rd on its Telegram channel, which was created on May 13, 2023.
NCC also told Cybernews on Monday that the group of unknown origin had a “very specific ‘terms of service,” which strictly prohibited the involvement of third parties in the negotiation process.
“Many criminal groups and ransomware operators have ‘terms of service,’ particularly instructions issued to their victims, NCC Group said, pointing out that 8Base’s terms “clearly outlined” this fact.
Researchers said they assume the parameters laid out by the ransomware group stem from its belief that “professional (third-party) negotiators” are often successful in reducing the amount of ransom demand, something 8base would obviously want to avoid.
“This is not a new concept – in more ‘traditional’ criminal enterprise, the individual or group issuing a ransom demand often makes further threats if law enforcement or other intermediaries get involved,” NCC Group said.
Your email address will not be published. Required fields are markedmarked