LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Intel Report 8Base / Phobos

8Base and Phobos: Inside Operation PHOBOS AETOR and What Happened After

In February 2025, an international law enforcement operation disrupted the 8Base ransomware group and the broader Phobos RaaS ecosystem behind it. This report covers 8Base's history, the takedown, and what the dismantling of a mature RaaS operation reveals about ransomware economics.

By Ransomware Tracker ·
8BasePhobosransomwareoperation-phobos-aetorlaw-enforcementraasdouble-extortionSMBHivetakedown
Threat Level
6/10
Sectors Targeted
healthcare
manufacturing
finance
business-services
construction
Ransomware Family
8Base / Phobos

Overview

8Base was one of the most prolific ransomware operations targeting small and medium-sized businesses throughout 2023 and 2024. The group combined aggressive double-extortion tactics with a victim-shaming leak site and an unusual public persona — positioning itself as “penetration testers” performing a service for negligent organisations. In February 2025, Operation PHOBOS AETOR — a coordinated international law enforcement action involving US, European, and Asian agencies — disrupted the group’s infrastructure and led to arrests.

The operation illuminated the relationship between 8Base and the broader Phobos ransomware-as-a-service ecosystem, and it provides a case study in how a RaaS operation of mid-tier scale is structured, monetised, and ultimately disrupted.

Background and Origins

8Base made its first documented appearance in early 2022 but initially operated at low volume. The group drew significant attention beginning in May 2023 when it listed 131 victims within a three-month window — a surge in operational tempo that placed it in the top tier of active ransomware operators by victim count.

The group’s ransomware binary was closely related to the Phobos ransomware family, which itself shares code lineage with Dharma, a ransomware strain in operation since at least 2016. The Phobos lineage is significant: it is a mature, proven encryption implementation with years of operational refinement. Unlike LockBit or RansomHub, which developed proprietary RaaS platforms with affiliate portals and sophisticated tooling, Phobos operated as a comparatively accessible toolkit — available to a broader range of affiliates with lower technical requirements for entry.

Researchers also noted overlap between 8Base’s encryptor and a variant of the RansomHouse RaaS platform. The exact relationship between 8Base, Phobos, and RansomHouse remained disputed, with different threat intelligence vendors attributing the code similarities to different degrees of affiliation. What was clear was that 8Base had access to a capable, tested encryption implementation and a well-developed victim extortion workflow.

Targeting Profile

8Base concentrated overwhelmingly on SMBs in sectors where cybersecurity investment is typically lower and recovery pressure is higher:

  • Business and professional services — accounting firms, law firms, consultancies
  • Construction and engineering — companies with project data, client contracts, and thin IT staff
  • Manufacturing — operational disruption pressure creates payment incentive
  • Healthcare — patient data sensitivity amplifies extortion leverage
  • Financial services — SMB financial companies with high-value data but limited security budgets

The geographic concentration was primarily in the United States and Brazil, with secondary targeting across Western Europe. The SMB focus was deliberate: large enterprises have incident response retainers, experienced negotiators, and tested backup infrastructure. SMBs often pay because the alternative — weeks of downtime rebuilding from backups they may not have — is worse.

Average ransom demands were in the $50,000-$500,000 range, calibrated to what SMBs with revenues of $5M-$100M can realistically pay. The lower demand ceiling meant a higher payment rate than groups targeting enterprise victims — a volume strategy rather than a trophy strategy.

Extortion Methodology

8Base’s leak site was unusual in its framing. Rather than the clinical language of most ransomware operators (“your data will be published on [date]”), 8Base adopted an editorial voice that characterised victims as having “neglected the privacy and importance of the data” — positioning the group as the enforcer of data hygiene standards rather than criminals demanding payment.

The double-extortion model operated on a standard countdown timer. Initial notification, typically delivered via encrypted file drop in the compromised environment, provided contact information. Negotiations conducted via TOX messenger or a victim portal established the demand. Failure to engage within the initial window triggered countdown publication on the leak site.

The group was noted for publishing data rapidly after the countdown expired, with a higher-than-average rate of publishing non-paying victims’ data relative to some contemporaries. This served as a credibility signal to other victims in active negotiations.

Operation PHOBOS AETOR

In February 2025, international law enforcement authorities across multiple jurisdictions coordinated a takedown that simultaneously targeted 8Base infrastructure and the broader Phobos RaaS ecosystem.

The operation resulted in:

  • Seizure of servers hosting the 8Base leak site and victim negotiation portal
  • Infrastructure takedown of multiple Phobos C2 servers and affiliate management systems
  • Indictments unsealed by the US Department of Justice identifying individuals linked to the “Affiliate 2803” platform within the Phobos ecosystem
  • Arrests of individuals in European jurisdictions connected to the affiliate network

The US DOJ indictments cited Phobos ransomware activity ranging from 2019 to the present, covering thousands of victims across healthcare, critical infrastructure, and government sectors. The indictments detailed the Phobos affiliate model: a RaaS administrator selling access to the encryption toolkit and victim portal infrastructure, with affiliates conducting intrusions independently and splitting ransom proceeds with the administrator.

Two US-based cybersecurity professionals pleaded guilty in 2025 to operating as ALPHV/BlackCat affiliates in a separate but temporally adjacent case — a reminder that insider threat and complicit professional participation in RaaS operations is not theoretical.

What the Disruption Achieved and What It Did Not

Operation PHOBOS AETOR achieved its immediate operational objectives: the 8Base infrastructure was taken offline, the leak site went dark, and arrests removed identified participants from the affiliate network. The practical effect on 8Base victim volume was significant — activity attributed to the group dropped sharply following the operation.

What the disruption did not achieve is the elimination of the RaaS capability. The Phobos encryptor code is not controlled infrastructure — it was already widely distributed across the affiliate network. Affiliates who accessed the toolkit before the disruption retain it. Several analysts tracking post-PHOBOS AETOR ransomware activity identified encryptor characteristics consistent with the Phobos/Dharma lineage appearing under new branding within months of the takedown. The pattern is consistent with prior major ransomware disruptions: the infrastructure is destroyed, the code and tradecraft are not.

Operational Lessons for Defenders

SMB environments are systematically under-defended relative to the targeting profile. 8Base’s victim selection was not random; it reflected a calculated assessment of where recovery pressure is highest and defensive capability lowest. SMB organisations in professional services and manufacturing should treat their risk profile as equivalent to a mid-market enterprise in terms of likelihood of targeting.

The Phobos/Dharma code lineage is persistent. Defenders should ensure Phobos-family ransomware detection signatures are current in their EDR tooling and that network-level detections for Phobos C2 communication patterns are operational. The encryptor will continue to appear under different brand names.

Initial access is predominantly through exposed RDP and VPN credential abuse. The Phobos affiliate model relied on purchased access from initial access brokers who compromised VPN appliances and RDP-exposed endpoints. For SMBs: MFA on all remote access, current VPN firmware, and elimination of internet-exposed RDP reduces initial access opportunity significantly.

Ransom payment data suggests negotiation reduces demands by 40-60%. If payment is unavoidable, engaging an experienced ransomware negotiator consistently produces lower final payment amounts than direct negotiation. Most 8Base demands had significant negotiation headroom built in.

Current Status (June 2026)

As of mid-2026, the 8Base brand is operationally dormant following the PHOBOS AETOR disruption. The Phobos encryptor has been observed in several lower-profile incidents operating under different affiliate identities, but without the coordinated victim-shaming infrastructure that characterised 8Base at its peak. The individuals arrested in European jurisdictions are in various stages of prosecution.

The 8Base case illustrates both the effectiveness and the limits of law enforcement action against distributed RaaS operations: the brand can be eliminated, the operational infrastructure disrupted, and participants prosecuted — but the underlying capability continues as long as the code and tradecraft remain in circulation across the broader criminal ecosystem.

// Related Intelligence
Intel Report

How Ransomware TTPs Are Evolving in 2026: BYOVD, Supply Chain Credentials, and ESXi Targeting

Intel Report

2026 Ransomware Payment Trends: Demands, Negotiations, and Sector Breakdown

Intel Report

Initial Access Brokers: The Supply Chain Enabling Ransomware