ICIC
UN

8Base

Medium ConfidenceMedium Threat

8Base • EightBase • 8Base Ransomware

8Base is a ransomware and data-extortion cybercrime operation that emerged in March 2022 and became highly active in the summer of 2023. The group operates as a Ransomware-as-a-Service (RaaS) affiliate, utilizing ransomware strains including a variant known as Phobos. Despite positioning themselves as honest and simple pentesters, 8Base has been responsible for significant attacks against small to medium-sized businesses across multiple sectors. The group employs double extortion tactics, combining traditional ransomware encryption with data exfiltration. In July 2023, 8Base alongside Cl0p and LockBit were responsible for 48% of all recorded cyberattacks. The group was significantly disrupted in February 2025 when international law enforcement arrested four key individuals and shut down their dark web infrastructure.

Origin: Unknown
Sponsor: Criminal Organization
Active: 2022 - Present
Victims: 200+ organizations
Moderate
Disrupted
Financial Gain
Risk Assessment
70
Composite Risk Score
High Risk
ARCS Compliance72
Escalation Risk65
Grievance Index70
Infrastructure Impact75
History & Evolution

8Base is a ransomware and data-extortion cybercrime operation that emerged in March 2022 and became highly active in the summer of 2023. The group operates as a Ransomware-as-a-Service (RaaS) affiliate, utilizing ransomware strains including a variant known as Phobos. Despite positioning themselves as honest and simple pentesters, 8Base has been responsible for significant attacks against small to medium-sized businesses across multiple sectors. The group employs double extortion tactics, combining traditional ransomware encryption with data exfiltration. In July 2023, 8Base alongside Cl0p and LockBit were responsible for 48% of all recorded cyberattacks. The group was significantly disrupted in February 2025 when international law enforcement arrested four key individuals and shut down their dark web infrastructure.

Targeting

Target Sectors

HealthcareProfessional ServicesManufacturingConstructionTechnology

Target Regions

United StatesBrazilUnited KingdomGlobal
Attribution & Affiliations

Attributed to Criminal Organization (Unknown). Attribution confidence: Medium.

Intelligence Assessment
Medium
Threat Level
Opportunistic
Targeting
Moderately
Adaptability
Medium
Persistence
Disbanded
Op Tempo
Disrupted
Status

Future Outlook

8Base operations were significantly disrupted by the February 2025 law enforcement action. A free decryptor has been released for victims.

Timeline of Key Events
March 2022
Major

First observed 8Base activity

May-June 2023
Major

Massive spike in 8Base activity

February 2025
Major

International law enforcement arrests four key figures