US regulators took down a website that peddled billions of personal credentials stolen by criminals or exposed on the internet as the result of an international joint operation. Two individuals suspected to be profiting from the website were arrested in Northern Ireland and the Netherlands.
The US FBI seized the domain weleakinfo.com after a joint action by national regulators across the US and Europe, announced the National Crime Agency (NCA), UK.
The blocked site provided access to more than 12 billion personal credentials to cyber-criminals for as little as £1.50 per day, said the UK agency’s announcement. It was offering access to the data in the guise of helping users to check whether their passwords were compromised.
An official statement from the NCA said: "The NCA began investigating weleakinfo.com, which is believed to host credentials taken from around 10,000 data breaches, in August 2019. The credentials are known to have been used in further cyber attacks in the UK, Germany and the US."
The probe identifies two individuals in the Netherlands and Northern Ireland, who were charged with pocketing more than £200,000 from the site; one based in Northern Ireland and one in The Netherlands.
"NCA investigators passed this information to the Police Service of Northern Ireland (PSNI) and the East Netherland Cyber Crime Unit (Politie), who launched their own operations. The suspects, both 22-year-old men, were arrested on Wednesday, 15 January in Fintona and Arnhem respectively," said the NCA announcement.
Parallel investigations into weleakinfo.com run by the German BKA and the FBI resulted in seizing the domain on 15 January after the US Attorney’s Office, District of Columbia issued a warrant.
Online payments tracing back to IP address believed to have been used by the two men point to them being heavily involved in the running of the site. NCA officers found evidence of payments being made from these accounts to infrastructure companies in Germany and New Zealand to host its data.
"We know that weleakinfo.com formed an extremely valuable part of a cyber-criminals toolkit. However, this significant criminal website has now been shut down as a result of an international investigation involving law enforcement agencies from five countries.
"Cyber-crime is a threat that crosses borders and so close international collaboration is crucial to tackling it. These arrests have resulted in the seizure of the site’s data which included 12 billion personal credentials and so work is continuing by law enforcement to mitigate these and notify the sites that were breached," said NCA senior investigating officer Andrew Shorrock in the announcement.
The administrators of weleakinfo tweeted on 15 January that there was a "data cluster issue" and they "are currently investigating it".
[status] Investigating: We are currently investigating this issue. https://t.co/9vzK4O49gw— We Leak Info (@weleakinfo) January 15, 2020
Similar websites such as ‘Leak – Lookup’, ‘Leakedsource’, ‘DeHashed’ and ‘Snusbase’ are already cashing in on the increased traffic after weleakinfo was taken down.
An influx in traffic forced Leak Lookup to close the site for maintenance, it tweeted.
Due to the recent influx of traffic, we've had to perform maintenance on our cluster. Everything should be operational within the hour.— Leak Lookup (@LeakLookup) January 17, 2020
UK investigators last year established links between the purchase of cyber-crime tools, such as remote access Trojans (RATs) and cryptors, and weleakinfo.com.
In November 2019, NCA and North West Regional Organised Crime Unit officers executed 21 warrants across the UK as part of an international operation targeting those who had purchased the IM RAT. Several of the suspects identified had also paid for access to weleakinfo.com, noted the NCA.
"From a legal perspective, the commerce of stolen property is criminally punishable in most Western jurisdictions. The prosecution will likely argue that the admins were deliberately profiteering from the unlawful sale of stolen property, recklessly allowing third-parties to access victims' sensitive data," noted ImmuniWeb founder & CEO Ilia Kolochenko.
"Given the purely commercial nature of the project, malicious intent would be easy to prove, forming an irrefutable indictment with severe prison terms on the horizon. The admins would be advised to take experienced criminal defence lawyers and consider negotiating a guilty plea. In any case, this incident serves an unambiguous "tolerance zero" notice to all grey marketplaces," he added.
As cyber-criminals operate without caring about boundaries or jurisdictions, trans-national collaborations are the way to tackle them, observed Robert Ramsden-Board, VP EMEA at Securonix.
"The internet is far-reaching. Therefore, cyber-crime and its impact on businesses and individuals is rarely contained within one nation. So, collaboration between the US, the UK and other nations' law enforcement organisations is a critical step towards effectively tackling cyber-crime."