Government Agencies Seize Domains Used to Sell CredentialsDOJ: Now-Shuttered Site Sold Data Obtained From 10,000 Data Breaches
The U.S. Department of Justice and the FBI announced that they had seized three domains after an international investigation that found these domains selling stolen personal information and providing access to conduct distributed denial-of-service attack on victim networks.
The three seized internet domain names include weleakinfo.to and two related domain names, ipstress.in and ovh-booter.com.
"Today, the FBI and the Department stopped two distressingly common threats: websites trafficking in stolen personal information and sites which attack and disrupt legitimate internet businesses," says Matthew M. Graves, U.S. attorney for the District of Columbia. "Cybercrime often crosses national borders. Using strong working relationships with our international law enforcement partners, we will address crimes like these that threaten privacy, security, and commerce around the globe."
The site operated as a database and search engine, and the stolen data was indexed so that users could search the files and information "illegally obtained in over 10,000 data breaches containing seven billion indexed records - including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts," the DOJ says.
It's not clear how long the WeLeakInfo domain was in operation, but the website developed a reputation for selling names, email addresses, usernames, phone numbers and passwords for online accounts to cybercriminals who would buy a subscription for a period of one day, one week, one month, three months, or a lifetime, according to the DOJ.
The government agencies also announced that they had seized weleakinfo.com in January 2020, shutting down a similar service then provided at that site. At that time, the same services were provided for as little as $2 a day to access the data (see: 'WeLeakInfo' Website Shut Down).
That law enforcement action involving five countries led to the shutdown of WeLeakInfo.com. The site at that time provided cybercriminals with access to over 12 billion personal records culled from 10,000 data breaches.
In July 2019, the WeLeakInfo website and its Twitter feed began advertising that 23 million personal records that had been taken from CafePress were available to subscribers (see: Hacked Off: Lawsuit Alleges CafePress Used Poor Security).
When, U.S., U.K. and EU law enforcement agencies first shuttered the WeLeakInfo site in January 2020, police in Northern Ireland and the Netherlands also announced the arrest of two men, both 22 years old, on suspicion of having run the domain and having profited from the sale of personally identifiable information, malware and other malicious tools. Neither suspect has been named.
The ipstress.in and ovh-booter.com domains, which allegedly offered to conduct a DDoS attack for clients in a format called booter or stressor attacks, were also seized.
WeLeakInfo visitors are now greeted with a message saying that the domain had been seized.
"With execution of the warrant, the seized domain name weleakinfo.to is now in the custody of the federal government, effectively suspending the website's operation," according to the DOJ. "Visitors to the site will now find a seizure banner that notifies them that the domain name has been seized by federal authorities. The U.S. District Court for the District of Columbia issued the seizure warrant."
In addition to the DOJ and FBI, the shutdown of these domains was part of a coordinated action by the law enforcement agencies with the National Police Corps of the Netherlands and the Federal Police of Belgium.
"The actions executed by our international partners included the arrest of a main subject, searches of several locations, and seizures of the web server's infrastructure," according to the DOJ.
In December 2020, Britain's National Crime Agency reported arrests of 21 individuals on suspicion of purchasing personally identifiable information from the WeLeakInfo website for a variety of purposes, including the buying and selling of malicious cyber tools such as remote access Trojans, aka RATs, as well as to buy "cryptors," which can be used to obfuscate code in malware, according to the NCA.
It has said that all are men, ranging in age from 18 to 38 and the arrests took place over a five-week period starting in November 2020.
Beyond the 21 people arrested by police, another 69 individuals in England, Wales and Northern Ireland have received warnings from the NCA or other domestic law enforcement agencies, saying they may have engaged in criminal activity tied to the investigation.
Sixty of those individuals also received cease-and-desist orders from police.
Recent Domain Seizures
Microsoft says that in April it obtained a court order from the United States District Court for the Northern District of Georgia allowing it to seize control of 65 domains that the ZLoader gang had been using to grow, control and communicate with its botnet (see: Microsoft Disrupts ZLoader Botnet in Global Operation).
ZLoader, a descendant of the ubiquitous Zeus banking malware, is run by a global, internet-based, organized crime gang operating malware as a service that is designed to steal and extort money.
"The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet's criminal operators," Microsoft said.
The U.S. had also seized three domains - raidforums.com, Rf.ws, and Raid.lol - that hosted the hacker forum. The yearlong joint operation by law enforcement agencies across several countries led to the shuttering of the darknet marketplace RaidForums and the seizure of these three domains hosting the website (see: Joint Law Enforcement Operation Dismantles RaidForums).
RaidForums was used by hackers mainly to buy and sell stolen information, including financial data such as credit card details, bank account numbers, Social Security Numbers, login credentials and personally identifiable information.
The RaidForums takedown comes days after the German police, leading a transagency effort, shuttered Russian darknet marketplace Hydra, which has been known to offer stolen credit and SIM cards, VPN access, and cryptocurrency laundering services. Although there were no known arrests, the Federal Criminal Police Office of Germany seized 543 bitcoins, worth about $25 million, associated with the marketplace. (see: Germany Shutters Russian Darknet Marketplace Hydra).