Authorities from 14 countries shut down LeakBase, seized its domains and arrested multiple people allegedly involved in the cybercrime marketplace for stolen data and hacking tools, the Justice Department said Wednesday.

LeakBase had more than 142,000 members, ranking it among the world’s largest forums for cybercriminals. The site, which was available on the open web, contained a massive archive of hacked databases including hundreds of millions of account credentials, officials said. 

The stolen databases, which included data from U.S. corporations and individuals, were linked to many high-profile attacks, according to officials. Data seized by authorities revealed a trove of credit and debit card numbers, banking account and routing information, credentials for account takeovers, sensitive business records and personally identifiable information. 

“The FBI, Europol, and law enforcement agencies from around the world executed a takedown of LeakBase, one of the largest online cybercriminal platforms, seizing users’ accounts, posts, credit details, private messages and IP logs for evidentiary purposes,” Brett Leatherman, assistant director at the FBI’s cyber division, said in a statement. 

Law enforcement agencies involved in the globally coordinated takedown operation, which began Tuesday, executed search warrants, made arrests and interviewed people in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain and the United Kingdom.

Officials did not immediately name any suspects, but some of the activity occurred in San Diego and Provo, Utah. Officials said the FBI’s field offices in San Diego and Salt Lake City, which is investigating the case, participated in the operation domestically. The Provo Police Department was also involved.

“Hiding behind a screen does not shield cybercriminals from accountability,” Robert Bohls, special agent in charge at the FBI Salt Lake City field office, said in a statement.

Authorities identified multiple users who believed they were operating anonymously by seizing the forum’s database.

“This international operation demonstrates the strength of our global alliances and our shared commitment to disrupting platforms that facilitate the theft of data and the victimization of innocent people and organizations worldwide,” Bohls added. “Together, we will continue to identify, dismantle, and hold accountable those who seek to profit from cybercrime, no matter where they operate.”

Europol, which hosted the coordinated operation in The Hague, described LeakBase as a “central hub in the cybercrime ecosystem” that specialized in leaked databases and stealer logs. The English-language site, which has been active since 2021, contained more than 32,000 posts and more than 215,000 private messages. 

Authorities collectively engaged in around 100 enforcement actions globally and took measures against 37 of the platform’s most active users Tuesday, according to Europol.

The technical disruption phase got underway Wednesday and the site now displays a seizure page. Officials from Canada, Germany, Greece, Kosovo, Malaysia and The Netherlands also support the investigation.

“Together with our partners, we are sending a message that no criminal is truly anonymous online and removing an easy point of access to stolen information on American businesses and individuals,” Leatherman said. “The FBI will continue to defend the homeland by dismantling the key services that cybercriminals use to facilitate their attacks.”

The post Authorities from 14 countries shut down major cybercrime forum LeakBase appeared first on CyberScoop.

Leaked training videos suggest that Intellexa retained the ability to remotely access the systems of customers who had used its Predator spyware, raising questions about human rights safeguards, according to an investigation published Thursday.

That was just one finding from a series of separate but overlapping probes released over the past 24 hours. The training video revelations came via a joint investigation by Inside Story, Haaretz and WAV Research Collective in partnership with Amnesty International. Google and Recorded Future also published research Thursday about Intellexa.

“The fact that, at least in some cases, Intellexa appears to have retained the capability to remotely access Predator customer logs – allowing company staff to see details of surveillance operations and targeted individuals [—] raises questions about its own human rights due diligence processes,” Jurre van Bergen, technologist at Amnesty International Security Lab, said in a news release.

“If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware,” he continued.

The “Intellexa Leaks” investigation learned more about the U.S.-sanctioned company’s operations as well. One revelation was that Intellexa was exploiting malicious mobile advertisements to infect targets, a vector named “Aladdin,” investigators concluded.

Other findings include confirmation of Predator domains imitating legitimate Kazakhstani news sites, and additional evidence linking Predator spyware to surveillance of prominent Egyptian political activist Ayman Nour and Greek investigative journalist Thanasis Koukakis, according to Amnesty. And the news publications reported on the first reported Predator infection in Pakistan, of a human rights lawyer, and additional targeting in the country.

A lawyer for Intellexa founder Tal Dilian only responded in part to questions from Haaretz, the publication reported, saying that ‘progressive groups rely on biased and politically motivated international organizations that spread unfounded claims, and use journalists, as ‘useful idiots,’ who repeatedly publish so-called investigative reports directed by the same actors.”

The attorney added: “I have not committed any crime nor operated any cyber system in Greece or anywhere else. Any claim suggesting otherwise is false and defamatory. I categorically reject any attempt to link me to events in Greece or to the media campaign surrounding them. I protect my rights and will continue pursuing legal action against those who defame me.”

Recorded Future’s Insikt Group, meanwhile, published a study on individuals and groups connected to Intellexa.

“These connections span technical, operational, and corporate roles, including backend development, infrastructure setup, and company formation,” wrote Julian-Ferdinand Vögele, principle threat researcher. “In addition, Recorded Future’s proprietary intelligence revealed ongoing Predator spyware activity in multiple countries, including new evidence of its deployment in Iraq.”

On Wednesday, Google said it had identified the companies Intellexa had created to infiltrate the advertising ecosystems, with partners subsequently shutting down the accounts.

Additionally, the firm pointed to one way Intellexa stands out among others.

“Over the past several years, Intellexa has solidified its position as one of, if not the most, prolific spyware vendors exploiting zero-day vulnerabilities against mobile browsers,” a blog post from Google Threat Intelligence Group reads. “Despite the consistent efforts of security researchers and platform vendors to identify and patch these flaws, Intellexa repeatedly demonstrates an ability to procure or develop new zero-day exploits, quickly adapting and continuing operations for their customers.”

The post Intellexa remotely accessed Predator spyware customer systems, investigation finds appeared first on CyberScoop.