Thai authorities detain four Europeans in ransomware crackdown
In a sweeping international law enforcement operation, Thai authorities arrested four Europeans in Phuket, accusing them of orchestrating ransomware attacks affecting Swiss companies worldwide. The suspects are allegedly tied to the 8Base ransomware-as-a-service (RaaS) gang, which extorted $16 million worth of Bitcoin from over 1,000 individuals.
The operation, termed “Phobos Aetor,” reflected a tightly coordinated effort among law enforcement agencies from Europe, Asia, and North America. Authorities arrested two men and two women, according to Thai media, and seized the digital infrastructure — laptops, smartphones, and digital wallets — that supported their activities.
Ransomware has emerged as a formidable threat in cybercrime, enabling perpetrators to breach digital networks, encrypt critical data, and demand payments for decryption keys. The 8Base group, active since March 2022, is notorious for its dual extortion tactics — encrypting data and threatening to leak sensitive information unless a ransom was paid.
The detainees, whose identities remain undisclosed, were allegedly involved in compromising the networks of 17 companies in Switzerland between April 2023 and October 2024.
On Tuesday, the Justice Department unveiled criminal charges against two Russian nationals, Roman Berezhnoy and Egor Nikolaevich Glebov, who were allegedly responsible for hacking into networks, stealing and encrypting data, and extorting victims for ransom under the threat of public data exposure if payments weren’t made. The indictment charges Berezhnoy and Glebov with multiple offenses, including wire fraud and computer fraud, each carrying significant prison terms if convicted. These legal proceedings follow the earlier arrest and extradition of Evgenii Ptitsyn, related to administering the Phobos ransomware for the 8base gang.
Additionally, the data leak site domain used by the 8Base group had a seizure notice posted Monday, bearing the insignia of several law enforcement agencies, including the FBI and the DoD Cyber Crime Center.
In the cybercrime underground, 8Base positioned itself as a data-extortion operation rather than a traditional ransomware entity, gaining notoriety due to the vast number of victims displayed on their data leak site. The group was extremely active in 2023 to the point that the group combined with two other notorious RaaS gangs — Cl0p and LockBit — to account for 48% of all cyberattacks recorded in July of that year.
Takedowns of cybercriminal infrastructure have increased, with a FBI official saying last year the bureau helped orchestrate 30 operations in which infrastructure was seized. In February 2024, a coordinated operation led by the U.K.’s National Crime Agency in cooperation with the FBI and the U.S. Justice Department disrupted LockBit’s infrastructure, seizing websites and servers critical to its operations.
The DOJ revealed charges in December against Rostislav Panev, a dual Russian and Israeli national, for his alleged role as a developer in the LockBit ransomware group.
You can read the indictment below.
Update, February 11, 9:15 a.m.: This story was updated with information from the Department of Justice.
