BREAKING NEWS – Wednesday, March 25, 2026 – Four Unnamed Russian Nationals (4 individuals) have been arrested in a significant international law enforcement operation targeting the notorious 8Base ransomware group. Europol confirmed the arrests, which took place in Europe, marking a major blow against a cybercrime syndicate responsible for extorting large payments from over 1,000 victims worldwide.
The coordinated action, dubbed “Operation Phobos Aetor,” saw law enforcement agencies from 14 countries collaborate to dismantle the group’s infrastructure and apprehend key members. While two women remain unnamed, two men have been identified as Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39.
The Charges Against Unnamed Russian Nationals (4 individuals)
Roman Berezhnoy and Egor Nikolaevich Glebov face a formidable list of 11 charges in the United States, including wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, causing intentional damage to protected computers, extortion related to computer damage, unauthorized access and obtaining information from a protected computer, and transmitting a threat to impair the confidentiality of stolen data. They also face charges in Switzerland. If convicted in the US, the potential maximum sentence could be as high as 120 years in prison, underscoring the severity of their alleged crimes.
The arrests were made on February 10, 2025, in Phuket, Thailand, with Europol announcing the takedown of 27 servers linked to the criminal network the following day. This operation also disrupted over 100 servers associated with the broader Phobos scheme, a significant blow to the cybercrime ecosystem.
Scale of the Crime
The 8Base ransomware group, operating since March 2022, is estimated to have extorted over $16 million in ransom payments. Their victims spanned more than 1,000 public and private entities across the globe, primarily small to medium-sized businesses (SMBs) in sectors such as professional services, manufacturing, finance, healthcare, and education. The group employed a “double extortion” tactic: encrypting data and then threatening to publish stolen information on their dark web leak site if a ransom was not paid. Geographically, victims were concentrated in the United States, Brazil, and the United Kingdom, with attacks also reported in Australia, Canada, and various European countries. Notably, no ex-Soviet or Commonwealth of Independent States (CIS) countries were targeted.
“This operation represents a critical advancement in the fight against ransomware, demonstrating the power of international cooperation in dismantling sophisticated cybercriminal enterprises that prey on businesses and critical infrastructure worldwide.”
Who Are Unnamed Russian Nationals (4 individuals)?
The four Unnamed Russian Nationals (4 individuals) are suspected leaders of the 8Base ransomware group. Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, along with the two unnamed women, are Russian nationals whose specific professions beyond their alleged involvement with 8Base are not publicly known. The 8Base group, despite claiming to be “honest and simple pentesters,” emerged as a financially motivated cybercrime operation in March 2022. They were particularly active in May and June 2023, demonstrating a significant surge in their malicious activities.
Investigation Details
The investigation into the Phobos ransomware, which 8Base leveraged, began in 2019. “Operation Phobos Aetor” was a massive undertaking coordinated by Europol and Eurojust, involving law enforcement from Belgium, Czech Republic, France, Germany, Japan, Poland, Romania, Singapore, Spain, Sweden, Switzerland, Thailand, the United Kingdom, and the United States. Europol provided crucial analytical, crypto-tracing, and forensic expertise, coordinating 37 operational meetings. The fraud was uncovered through ongoing investigations that identified 8Base as a key affiliate using the Phobos infrastructure. The disruption was confirmed with the seizure of 8Base’s Tor-based leak site, which now displays a seizure banner from German authorities. Previous arrests include a key Phobos affiliate in Italy in 2023 and an administrator in South Korea in June 2024, who was later extradited to the US and indicted as Evgenii Ptitsyn.
What Happens Next
With the Unnamed Russian Nationals (4 individuals) now in custody, the legal process will move forward. While specific trial dates and further asset freezes are yet to be publicly detailed, the unsealed charges in the US indicate a rigorous prosecution ahead. The international nature of the charges and the involvement of multiple jurisdictions suggest a complex legal battle. The disruption of 27 servers linked to 8Base and over 100 servers associated with the broader Phobos scheme signifies a lasting impact on the group’s operational capabilities, though vigilance against new threats remains paramount.
Protecting Yourself
The tactics employed by the 8Base group offer critical insights into preventing similar attacks. Businesses must prioritize robust cybersecurity defenses. Key red flags and preventative measures include: comprehensive employee security training to identify phishing emails, implementing multi-factor authentication and strong access controls for remote access, and ensuring all software is regularly patched and updated to address vulnerabilities. Organizations, especially SMBs, should invest in advanced endpoint security solutions that can detect unusual file activity and ransomware indicators like the appearance of unusual file extensions or attempts to disable security features. Furthermore, maintaining immutable, off-site backups is crucial, enabling data restoration without succumbing to ransom demands. Continuous monitoring of network activity for anomalies and having a well-rehearsed incident response plan are essential to mitigate the impact of such sophisticated cyber threats. For more information on related fraud investigations and protective measures, stay tuned to The Financial Standard.




