threatintel
actor tracker
All actors

8Base

8base · primary source: Other · first observed 2022 · last observed 2025
RU · RussiaRansomwareHigh confidencelast cited Feb 9, 2025 · 1.3y ago

Russian-speaking ransomware-as-a-service operation that emerged in 2022 as a Phobos affiliate, deploying a modified Phobos encryptor with double-extortion tactics. Targeted small and medium-sized businesses across finance, manufacturing, business services, and IT — over 1,000 victims claimed and an estimated $16M extracted. Disrupted on 10 February 2025 by **Operation Phobos Aetor**, a multi-jurisdiction action coordinated by the U.K. NCA, FBI, Europol, and police agencies from Bavaria, Belgium, Czechia, France, Germany, Japan, Romania, Spain, Switzerland, and Thailand. Four Europeans were arrested in Phuket; Russian nationals Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39) were named as the operators of the 8Base / Affiliate 2803 RaaS organisation.

Aliases

Affiliate 2803Other

Motivations

financial gain

Target sectors

manufacturingprofessional servicesfinancialhealthcaretechnology

Target countries

USGBBRCHFRDE

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • 8Base
  • Russia
  • financial gain
Capability
Infrastructure
  • admlogs25.xyz
Victim
  • manufacturing
  • professional services
  • financial
  • US
  • GB
  • +1 more

MITRE ATT&CK techniques

T1486T1490T1567.002T1133

Timeline

1 event
  1. SanctionHigh2025-02-10·Europol

    Operation Phobos Aetor takes down 8Base; Russian operators arrested in Phuket

    International operation coordinated by the U.K. NCA, FBI, Europol, and police agencies from Bavaria, Belgium, Czechia, France, Germany, Japan, Romania, Spain, Switzerland, and Thailand seized 8Base's leak site and negotiation infrastructure. Four European nationals (two men, two women) were arrested in Phuket; Russian nationals Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39) were named as the operators of 8Base / Affiliate 2803. Japan's NPA subsequently released a free decryptor for 8Base / Phobos victims. The action was the largest multi-jurisdiction Phobos-affiliate takedown to date, ending an operation that had claimed 1,000+ victims and an estimated $16M in extortion proceeds.

    takedownransomwareeuropoldecryptor-released

Indicators of compromise

3 indicators
csv
TypeValueFirst seenSource
SHA-256
5ba74a5693f4810a8eb9b9eeb1d69d943cf5bbc46f319a32802c23c7654194b0
family · Phobos
8Base ransom note dropped after Phobos-based encryption in the campaigns documented by VMware Carbon Black researchers.
May 31, 2023VMware Carbon Black
SHA-256
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
family · Phobos
Phobos-derived 8Base ransomware payload analyzed by VMware Carbon Black in the June 2023 spike of double-extortion intrusions. Loaded via SmokeLoader with SystemBC for C2.
May 31, 2023VMware Carbon Black
Domain
admlogs25[.]xyz
family · SystemBC
SystemBC C2 / staging domain in the 8Base infrastructure cluster (admlogs25, admhexlogs25, admlog2, serverlogs37, dnm777, dexblog, blogstat355, blogstatserv25, wlaexfpxrs) listed by VMware Carbon Black.
May 31, 2023VMware Carbon Black

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-05-19). 8Base — actor profile. Retrieved from https://threatintel.local/actors/8base

latest cited activity · 2025-02-10 · 3 cataloged indicators