The National Crime Agency and other cybercrime teams from across the UK have arrested twenty-one cyber criminals who sold and purchased vast amounts of stolen credentials on WeLeakInfo, a website that sold leaked or breached credentials on a subscription basis.
WeLeakInfo was seized by the U.S. FBI and the Department of Justice in January this year and at that time, was found storing over twelve billion stolen or breached data records that included names, email addresses, usernames, phone numbers, and passwords for online accounts.
Cyber criminals who operated the website allowed site visitors to view and purchase these data records as part of daily, weekly, monthly, or quarterly subscription plans. According to the FBI, the website stored data records and credentials that were obtained from over ten thousand data breaches worldwide.
The takedown of WeLeakInfo was the result of a coordinated effort by the UK’s National Crime Agency, the FBI, the Netherlands National Police Corps, the German Bundeskriminalamt (the Federal Criminal Police Office of Germany), and the Police Service of Northern Ireland.
Aside from seizing the website which was run in plain sight until then, law enforcement authorities also arrested two operators of WeLeakInfo in the Netherlands and in Northern Ireland who reportedly made over £200,000 from the sale of stolen data records.
On Christmas Day, the National Crime Agency said that as many as twenty-one cyber criminals were arrested across the UK as part of a five-week-long operation that began on 16th November and targeted customers of WeLeakInfo.com.
NCA said that the arrested people paid for access to the site in order to download personal data for use in further criminality, including cyber attacks and fraud offences, and some of them also purchased cybercrime tools such as remote access Trojans (RATs) and crypters from the website.
“Through the identification of UK customers of WeLeakInfo, we were able to locate and arrest those who we believe have used stolen personal credentials to commit further cyber and fraud offences. The NCA and UK law enforcement take such offences extremely seriously and they can result in huge financial loss to victims,” said Paul Creffield from the NCA’s National Cyber Crime Unit.
Cyber Prevent officers also paid a visit to sixty-nine people who were warned about their potentially criminal activity and many more customers of the seized website will be visited in the coming months.
“We were also able to pinpoint those on the verge of breaking the law and warn them that should they continue, they could face a criminal conviction. Cyber skills are in huge demand and there are great prospects in the tech industry for those who choose to use their skills legally,” Creffield added.
This is not the first time that cyber criminals have been caught selling millions of stolen credentials online to the highest bidder. A couple of years ago, security firm Flashpoint discovered a dark web marketplace called Ultimate Anonymity Services that was being used by criminals to sell stolen credentials for thousands of corporate remote access servers.
These credentials belonged to enterprises from all over the world except those that belong to the Commonwealth of Independent States. These countries include former Soviet Republics like Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.
Security researchers at 4iQ also stumbled upon the world’s largest breached credentials database on the Dark Web that contained as many as 1.4 billion clear text credentials that were obtained from hundreds of data breaches. The database included stolen credentials aggregated from dumps like Exploit.in and Anti Public, as well as 385 million new credential pairs and 318 million unique users.