LeakBase admin arrested in Russia after global takedown of stolen-data marketplace

Russian authorities have detained a man from Taganrog who they say ran LeakBase, a major cybercrime forum used to trade stolen credentials, financial data, and hacked databases. The arrest came weeks after an international law enforcement operation seized the platform and its data.

The case matters because LeakBase had grown into one of the larger open-web marketplaces for cybercriminal activity. The U.S. Department of Justice said the forum had more than 142,000 members and over 215,000 messages as of early March 2026, with listings that included hundreds of millions of account credentials and other stolen records.

Russian state media reported that the suspect had managed the site since 2021. The Russian Interior Ministry’s spokesperson, Irina Volk, said the forum allowed the sale of personal databases, bank details, usernames, passwords, and corporate documents obtained through hacking. Other reporting on the arrest says police also seized computer equipment and other evidence during a search of the suspect’s home.

What LeakBase was and why it drew global attention

LeakBase was not a niche forum. According to the DOJ, it operated on the open web in English and maintained a large, regularly updated archive of stolen datasets tied to high-profile breaches. Prosecutors said the marketplace offered data that could support account takeover attacks, payment fraud, and follow-on intrusions against companies and individuals.

On March 3 and 4, law enforcement agencies from 14 countries carried out synchronized actions against LeakBase and some of its users in an operation coordinated through Europol in The Hague. Authorities shut down the forum, seized its data and domains, posted seizure banners, sent warning messages to members, and gathered more evidence for ongoing cases.

The arrest in Russia adds a new twist to that international takedown. Europol told TechCrunch it did not take part in the Russian arrest itself, even though the wider seizure operation involved broad international coordination earlier in March. That distinction matters because it suggests the takedown and the later arrest were connected by timing and subject matter, but not necessarily by the same joint operational chain.

LeakBase by the numbers

What investigators say happened next

Cyber threat intelligence firms and independent investigators had already spent time trying to identify the person behind LeakBase. After the seizure, reporting from KELA and other researchers tied the forum’s administrator aliases to a 33-year-old man from Taganrog. That public attribution effort appears to have lined up with the arrest reports that followed.

The forum also appears to have tried to return online after the takedown. Multiple reports said LeakBase resurfaced on a new domain days after the seizure, which shows how quickly cybercrime services try to rebuild even after major law enforcement disruption.

For investigators, the more important win may sit behind the seizure banner itself. The DOJ said authorities secured forum accounts, posts, private messages, credit details, and IP logs for evidentiary purposes. That means the operation may support many more investigations beyond the administrator’s arrest, especially if member records help identify sellers, buyers, and repeat offenders across other criminal forums.

Key points

• Russian authorities say they detained a Taganrog resident suspected of running LeakBase.
• The DOJ described LeakBase as one of the world’s largest forums for trading stolen data and cybercrime tools.
• Europol said the global action against LeakBase involved 14 countries.
• U.S. authorities say the forum held hundreds of millions of stolen credentials and sensitive records.
• Seized forum data may now help investigators build more cases against users and vendors.

FAQ