my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Operation Leak Is Still Playing Out, and Russia Just Arrested One of Its Own

John Z Black Mar 27, 2026 Ransomware & Cybercrime #cybercrime #infostealer #leakbase #redline #law-enforcement #russia #operation-leak

Two cybercrime enforcement actions landed this week, both targeting the infostealer ecosystem. Both are significant. But the more interesting one happened in Russia.

The One Nobody Expected

LeakBase ran since 2021. By the time it was taken down, it had 147,000 registered users, over 215,000 internal messages, and, per Russian Interior Ministry spokesperson Irina Volk, “hundreds of millions of user accounts, bank details, usernames, and passwords, as well as corporate documents obtained through hacking.”

That’s not a forum. That’s an ecosystem.

Earlier this year, Operation Leak dismantled it. Europol and the FBI coordinated across 15 countries. The seizure banner was pointed: “All forum content, including users’ accounts, posts, credit details, private messages, and IP logs, has been secured and preserved for evidentiary purposes.”

Now Russia has made its own arrest. The alleged administrator, a resident of Taganrog, was detained by Russian MVD. No extradition. Domestic prosecution.

Russia tolerating domestic cybercriminals is well-documented, with informal rules: don’t hack Russia, don’t get so visible you become a diplomatic embarrassment. LeakBase apparently crossed at least one of those lines. With Operation Leak on the record and international media coverage, letting the alleged admin walk free would have been awkward.

It doesn’t signal a policy shift. Russia isn’t becoming a reliable partner in cybercrime enforcement. But the comfort zone for running a major criminal marketplace on Russian soil just got a little smaller.

The Long Tail of RedLine

On the other side of the Atlantic, Hambardzum Minasyan, an Armenian national, was extradited to the US to face charges tied to developing and administering RedLine, one of the most widely distributed infostealers in the world.

RedLine harvested credentials from millions of victims, bundled them into logs, and sold them to buyers for anywhere from a few dollars to several hundred depending on what was inside. Bank credentials, saved passwords, crypto wallet files, session tokens.

Minasyan faces up to 30 years if convicted. His extradition is part of the ongoing fallout from Operation Magnus, the 2024 Europol-FBI operation that disrupted RedLine’s infrastructure.

To be clear about what this means: RedLine-as-a-service has been disrupted. Key people are facing US federal charges. But the infostealer market didn’t disappear. Other tools filled the gap. The demand for fresh credentials hasn’t gone anywhere.

The credentials those logs represent are still out there. That’s the part no arrest resolves.

Why Russia arresting one of its own cybercriminals is the more interesting story, and what two enforcement actions this week tell us about infostealer infrastructure.