EUROPE – Saturday, March 21, 2026 – A massive international cybercrime operation has culminated in the arrest of four unnamed individuals (4 key figures) of Russian nationality, suspected of leading the notorious 8Base ransomware group. The arrests, coordinated by Europol and involving law enforcement agencies from 14 countries, mark a significant victory against a cybercriminal syndicate responsible for extorting at least $16 million from over 1,000 victims worldwide.
The Charges: Unnamed individuals (4 key figures) Face Severe Penalties
While Europol initially withheld names, the U.S. Department of Justice has unsealed criminal charges against two of the arrested suspects: Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39. Both Russian nationals face a litany of charges, including conspiracy to commit wire fraud and conspiracy to commit an offense against the United States. These charges carry a potential sentence of up to 20 years in prison for each wire fraud-related count and up to 10 years for each computer damage count, with a staggering potential total sentence of up to 100 years. The arrests were executed in Phuket, Thailand, on February 10, 2025, based on Interpol warrants issued at the request of Swiss and United States authorities. The Thai government has been formally requested to extradite the suspects to Switzerland to face charges related to attacks on 17 Swiss companies, indicating the global reach and impact of their illicit activities.
Scale of the Crime: A Global Web of Extortion and Disruption
The 8Base ransomware group, allegedly spearheaded by these four individuals, operated a sophisticated double extortion scheme that crippled businesses and institutions across the globe. Their preferred method involved deploying a customized variant of the Phobos ransomware, appending files with the distinctive “.8base” or “.eight” extensions. Beyond merely encrypting critical data and rendering it inaccessible, the group stole sensitive information, leveraging the threat of public exposure to coerce victims into paying exorbitant ransoms. These illicit proceeds were then laundered through cryptocurrency mixing services, obscuring the financial trail. Over its operational period, which stretched from March 2022, with a significant surge in activity in May and June 2023, the 8Base group is estimated to have extorted at least $16 million. Their criminal footprint encompasses more than 1,000 ransomware attacks worldwide, predominantly targeting small to medium-sized businesses (SMBs) across diverse sectors including business services, finance, manufacturing, healthcare, and critical infrastructure. Notably, victims included the Croatian port operating company Luka Rijeka, Canadian pharmaceutical firm Mint Pharmaceuticals, and even the United Nations Development Programme (UNDP).
Who Are the Unnamed individuals (4 key figures)? Leaders of a Notorious Ransomware Gang
The four arrested individuals, all Russian nationals, are suspected of being key figures in the leadership and operational command of the 8Base ransomware group. While their specific roles within the organization beyond their involvement with 8Base and “Affiliate 2803” have not been fully detailed, the charges against Berezhnoy and Glebov suggest their direct participation in orchestrating the widespread cyberattacks. Their methods involved not only deploying ransomware but also engaging in the intricate process of data exfiltration and the subsequent extortion, indicating a high level of technical proficiency and criminal organization. The group’s activities, particularly those of Berezhnoy, Glebov, and others, are alleged to have spanned from May 2019 through at least October 2024, demonstrating a sustained and aggressive campaign of digital banditry.
Investigation Details: A Coordinated Global Crackdown
This monumental takedown, dubbed “Operation Phobos Aetor,” is the culmination of years of meticulous international investigative work. Europol’s European Cybercrime Centre (EC3) began supporting the investigation into Phobos, the ransomware variant utilized by 8Base, as early as February 2019. The operation involved an unprecedented collaboration between law enforcement agencies from 14 countries, including the US Department of Justice (US DOJ), the Federal Bureau of Investigation (FBI), the UK’s National Crime Agency (NCA), and police forces from Germany, France, Japan, and many others. Europol played a crucial role in centralizing intelligence, organizing 37 operational meetings and technical sprints, and providing critical analytical, crypto-tracing, and forensic expertise. This coordinated effort led to the identification and subsequent seizure of 27 servers linked to the criminal network on February 11, 2025, effectively dismantling the group’s digital infrastructure. Over 400 companies worldwide were proactively warned of ongoing or imminent ransomware attacks as a direct result of this intelligence gathering.
“This operation underscores the critical importance of international cooperation in combating the increasingly sophisticated threat of cybercrime. The arrests send a clear message that no cybercriminal is beyond the reach of justice, regardless of borders or the perceived anonymity of the internet.”
What Happens Next: Extradition and Lengthy Legal Battles
With Roman Berezhnoy and Egor Nikolaevich Glebov already facing severe charges in the United States, the immediate future involves complex extradition proceedings. The request from Swiss authorities for their transfer to Switzerland indicates that both the US and Switzerland will seek to prosecute the individuals for the distinct crimes committed within their jurisdictions. Authorities also conducted searches at four locations during the arrests, seizing crucial digital evidence including mobile phones, laptops, and digital wallets, which will be vital in the ongoing legal proceedings. The trial dates, potential convictions, sentences, or any asset freezes for the four arrested individuals are not yet publicly available, but given the gravity of the charges and the scale of their alleged crimes, lengthy legal battles and significant penalties are expected.
Protecting Yourself: Recognizing the Red Flags of Ransomware
The success of the 8Base group highlights the persistent vulnerabilities exploited by ransomware operators. Organizations must remain vigilant and implement robust cybersecurity measures. Common warning signs and attack vectors used by 8Base included initial access gained through phishing emails or purchased access from initial access brokers. Therefore, strong email security and comprehensive employee training to identify phishing attempts are paramount. The group often distributed its Phobos variants via SmokeLoader, a backdoor trojan, necessitating advanced endpoint detection and response (EDR) solutions. Once inside, they bypassed User Access Control (UAC), established persistence, conducted network share discovery, and disabled security features like Windows Defender. Organizations should prioritize network segmentation, regular security audits, and tamper-resistant security software. The presence of unusual file extensions like “.8base” or “.eight” and ransom notes are immediate indicators of an attack. Lastly, the double extortion tactic, involving threats to publish stolen data on a leak site, underscores the need for robust data backup, recovery plans, and comprehensive incident response procedures for data breaches. For more insights into related fraud investigations, visit our archives.
The arrests of these unnamed individuals (4 key figures) represent a significant disruption to the global ransomware ecosystem. However, the threat landscape continues to evolve. Businesses, particularly SMBs, must proactively invest in cybersecurity defenses, stay informed about emerging threats, and foster a culture of vigilance to protect themselves against sophisticated cybercriminals who continuously seek new avenues for exploitation.




