Ransomware Leak Sites


Active Since

April 2022

Total Victims as of January 2024


Known Forum Aliases


Active Forum Accounts


Top Targeted Geographies

US, Brazil, UK

The 8Base dark web leak site appeared in June 2023 but the group is reported to have been active since early 2022.

Its activity accelerated in the summer of 2023 and since then it has been consistent in posting victims, quickly becoming one of the most active groups we track (with more than 260 total victims at the time of publication).

Its top three targeted industries are commercial & professional services, capital goods, and healthcare equipment & services. 8Base uses double extortion tactics – as well as encrypting an organization’s data it also exfiltrates data and threatens to leak it on its dark web leak site.

8Base uses a variant of Phobos ransomware in its attacks, modified to append a “.8base” extension onto encrypted files. Researchers have also noted that 8Base’s leak site bears many textual similarities to the leak site used by data extortion operation RansomHouse, which might suggest a connection between the two groups.

In September 2023, the cybersecurity researcher Brian Krebs demonstrated that at least some of the 8Base leak site code was written by a 36-year-old programmer residing in the capital city of Moldova.

The Beacon Newsletter

Get news, insights & intelligence straight to your inbox