Share article

Follow-up story to:

A cracked dark-metal padlock over a black background, with glowing neon web strands snapping and fading into particles.

Tycoon 2FA Phishing-as-a-Service Network Dismantled by Coinbase, Microsoft and Europol

Europol, Microsoft and Coinbase dismantle Tycoon 2FA phishing-as-a-service, blocking 330 domains and seizing infrastructure behind mass 2FA-bypass scams.

Rowan K. DelgadoMar 5 03:52
LeakBase just got proper nuked, Europol and the FBI led a coordinated takedown that wiped the cybercrime forum off the web and seized a trove of user data in the process. For anyone in crypto who has ever had their inbox hit with "urgent wallet security" phishing, this is one of the few times law enforcement has landed a clean, high impact punch on the supply chain. [1]
Tycoon 2FA Phishing-as-a-Service Network Dismantled by Coinbase, Microsoft and Europol

Authorities say LeakBase operated as a marketplace and meeting point for hackers trading stolen data and tooling, and it had scaled into a meaningful hub: more than 142,000 members and over 215,000 messages. That is not a tiny invite only crew, that is an ecosystem. [2]

Enjoy articles without ads?

Register for free and get unlimited access to all articles.

What LeakBase was, and why the seizure matters

LeakBase sat in the same grimy lane as other "breach forums", spaces where compromised databases, credential lists, and attack services move from one actor to another. Think of it as the resale layer that turns a one off corporate breach into thousands of downstream crimes: account takeovers, SIM swaps, identity fraud, and targeted phishing.

The FBI's cyber division assistant director Brett Leatherman said the operation involved the FBI, Europol, and other agencies, and that investigators seized users' accounts, posts, credit details, private messages, and IP logs for evidentiary purposes. The key word here is "logs". Forums come and go, but when law enforcement gets internal messages plus payment details plus IP history, it stops being a game of whack a mole and starts looking like a pipeline for arrests. [3]

From a crypto angle, those "credit details" and private chats are often where the useful attribution sits. A lot of these actors are careful with chain hygiene, but they are historically sloppy with forum operational security, reuse of nicknames, burner emails, and payment rails.

The Raidforums connection, and the Ledger shadow

LeakBase did not appear out of nowhere. Reporting ties it to Raidforums, a predecessor forum seized in 2022. That matters for two reasons: [4]

  1. Continuity of users and tactics. When a big forum gets taken down, the community tends to migrate rather than disappear. Same buyers, same sellers, new domain, slightly different rules.

  2. Crypto victims are not theoretical. Raidforums previously hosted leaked data tied to users of Ledger, the hardware wallet company. Those leaks have had a long tail. If you have been around CT (Crypto Twitter) long enough, you have seen the playbook: leaked personal data feeds personalised phishing, fake device replacement scams, and sometimes offline intimidation. The point is not that one forum equals one leak, it is that these forums industrialise the distribution.

So while LeakBase is "just a forum" on paper, in practice it plugs directly into the fraud and extortion that crypto users deal with daily.

What law enforcement likely grabbed, and why criminals should be sweating

Seizing a site can mean a few different things, from a domain redirect to full server imaging. Based on the stated items seized (accounts, posts, credit details, private messages, IP logs), this looks closer to the second category.

Here is what that enables:

  • Account mapping: linking handles to historic posts and private deals.
  • Payment trail reconstruction: "credit details" suggests some form of stored payment info, subscription records, or purchase history. Even if criminals used intermediaries, someone often slips.
  • Network attribution: IP logs can tie users to geographies, VPN providers, or repeated access patterns. Not always enough to dox someone outright, but enough to narrow suspects and correlate with other investigations.
  • Victim notification and remediation: if investigators can identify which datasets were sold and when, impacted firms and users can be alerted, passwords reset, and fraud controls tightened.
The strongest signal is not the homepage being offline, it is the evidence harvest. Takedowns hurt. Takedowns plus logs change behaviour.

Crypto implications: less "vibes", more second order effects

Crypto will not instantly become safer because a forum is gone. The demand side is still there, and stolen data is already copied, resold, and mirrored. But there are real, measurable second order effects worth watching.

1) Short term disruption to data liquidity

When a major marketplace disappears, pricing and availability can get weird for a bit. Sellers scramble for new venues, reputations reset, escrow systems change. That friction reduces velocity temporarily. For defenders, that window is valuable.

2) Migration to smaller, more fragmented channels

Expect the usual rotation: Telegram groups, Discords, invite only boards, and niche marketplaces. Fragmentation makes it harder for casual fraudsters to source fresh data, but it can also push serious actors into tighter circles that are harder to monitor.

3) Increased law enforcement pressure on the cash out layer

Even when the crime is "Web2", the proceeds often end up in crypto at some point. That can mean stablecoins, exchange accounts, OTC brokers, or privacy coins. If investigators have forum intel on buyers and sellers, they can pair it with exchange KYC requests and blockchain tracing to go after cash out routes. The criminals who think "I used a mixer, I am fine" tend to forget that attribution often comes from chat logs, not chain analysis.
Taiwan Indicts 62 After $339M Laundered From Cambodia Crypto-Scam Compounds

Is this a win, or just another game of whack a mole?

Both, honestly.

It is a win because LeakBase was large by any standard, and because the seizure appears to include the kind of internal data that turns into arrests and deterrence. It is also whack a mole because the underlying market for stolen data does not vanish, it reroutes.

The more interesting question is whether this takedown has continuity with previous actions (like the Raidforums seizure) in a way that compounds pressure over time. Repeated hits plus accumulated evidence can turn "internet lore" into real world consequences, especially when the same usernames and administrators keep resurfacing.

Risk box: what could invalidate the impact

What would make this takedown mostly cosmetic:

  • LeakBase data and tooling reappear quickly on a successor forum with minimal loss of continuity.
  • No meaningful follow up arrests or indictments materialise in the coming months.
  • The seized "credit details" and "IP logs" turn out to be incomplete, stale, or anonymised to the point of limited investigative value.

What would confirm this was a proper crackdown:

  • Named suspects, coordinated arrests, or public court filings referencing seized private messages and payment records.
  • Downstream seizures of related infrastructure (mirror sites, associated services, escrow wallets, admin accounts).
  • Victim notifications that match specific datasets sold via the platform.

LeakBase going dark is the headline. The real story is whether the seized logs convert into prosecutions. If they do, the next wave of forum admins will have to decide whether running a breach marketplace is still worth the heat. [5]

Crypto News Summary March 4

People Referenced

Brett Leatherman

American FBI official; Assistant Director of the FBI’s Cyber Division, shaping the bureau’s strategy against sophisticated cyber threats.

Tags

#Phishing scams#crypto security#FBI#Europol#cybercrime forum#data breach#stolen credentials#law enforcement seizure#user data logs#dark web