Cyber Threat Actor: 8Base
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Italy
|
8 incidents |
|---|
Profile
The threat actor known as 8Base, also referenced by the alias 8base, is described in open sources as a ransomware group that claims to operate from Italy. The group presents itself as an “honest and simple pentester” collective, asserting that it offers companies fair conditions for the return of their data and criticizes organizations that neglect data privacy while emphasizing non‑radical values such as life, liberty, equal access to information, democracy and non‑violent communication. Their reported activity spans multiple European sectors, including maritime logistics (the Port of Rijeka in Croatia), agriculture (the Fédération wallonne de l’agriculture in Belgium), fisheries management (the Atlantic States Marine Fisheries Commission), retail (Östenssons grocery chain in Sweden), telecommunications software (a Swiss firm serving European providers), and legal services (Italian firms such as Legalilavoro, Studio Legale Ranchino and SiComputer). This pattern indicates a broad, opportunistic targeting strategy rather than a narrow sector focus, with observed incidents in Italy, Belgium, Croatia, Sweden and Switzerland.
In terms of tactics, 8Base has been linked to the use of Phobos ransomware and shares stylistic similarities with the RansomHouse operation, suggesting reliance on established ransomware families or code bases. The group maintains a data leak site (DLS) where it threatens to publish exfiltrated information if victims do not meet its demands, a classic double‑extortion approach that combines encryption with the threat of data disclosure. Their infrastructure includes externally developed components, notably a vulnerable chat function traced to a Moldovan programmer, indicating a reliance on third‑party tools and custom services for communication and coordination. No specific initial‑access vectors such as phishing or RDP abuse are detailed in the provided material, so the profile is limited to the confirmed malware families, leak‑site methodology and the described tooling style.
Attribution clues are limited but notable: the group's leak site excludes victims from Russia and former Soviet states, a detail that sources interpret as suggesting possible Russian affiliations, and the actor has been publicly associated with the RansomHouse and Phobos ransomware ecosystems, implying a loose criminal consortium or shared‑service relationship. Representative operations cited in the sources include the December 2024 ransomware attack on the Port of Rijeka that stole financial and personal data, the May 2024 incident against the Fédération wallonne de l’agriculture where the group mistakenly claimed to have targeted the Walloon public service, and the June 2023 breach of the Italian law firm Studio Legale Ranchino in which personal identification, financial records and internal correspondence were exfiltrated and threatened for release. These examples illustrate the actor’s recurrent pattern of data theft, extortion demands and public shaming via leak sites across varied industries and geographies.
