A website which provided access to more than 12 billion personal credentials to cyber criminals for as little as $2 per day has been taken down following an investigation led by the National Crime Agency (NCA), in collaboration with international law enforcement partners.
The NCA began investigating weleakinfo.com, which is believed to host credentials taken from around 10,000 data breaches, in August 2019. The credentials are known to have been used in further cyber attacks in the UK, Germany and the US.
Two individuals were identified during the course of the operation who officers believe have made total profits in excess of £200,000 from the site; one based in Northern Ireland and one in The Netherlands.
NCA investigators passed this information to the Police Service of Northern Ireland (PSNI) and the East Netherland Cyber Crime Unit (Politie), who launched their own operations. The suspects, both 22-year-old men, were arrested on Wednesday 15 January in Fintona and Arnhem respectively.
Parallel investigations into weleakinfo.com were also being run by the German BKA and the FBI, who seized the domain and effected the takedown of the site at 11.30pm on the same day.
Online payments tracing back to IP address believed to have been used by the two men point them being heavily involved in the running of the site. NCA officers found evidence of payments being made from these accounts to infrastructure companies in Germany and New Zealand to host its data.
Law enforcement activity in the UK last year established links between the purchase of cyber crime tools, such as remote access Trojans (RATs) and cryptors, and weleakinfo.com.
In November 2019, NCA and North West Regional Organised Crime Unit officers executed 21 warrants across the UK as part of an international operation targeting those who had purchased the IM RAT. Several of the suspects identified had also paid for access to weleakinfo.com.
Andrew Shorrock, Senior Investigating Officer at the NCA, said:
“We know that weleakinfo.com formed an extremely valuable part of a cyber criminals toolkit. However, this significant criminal website has now been shut down as a result of an international investigation involving law enforcement agencies from five countries.
“Cyber crime is a threat that crosses borders and so close international collaboration is crucial to tackling it. These arrests have resulted in the seizure of the site’s data which included 12 billion personal credentials and so work is continuing by law enforcement to mitigate these and notify the sites that were breached.
“The data behind the site is a collaboration of more than 10,000 data breaches. Criminals rely on the fact that people duplicate passwords on multiple sites and data breaches such as these create the opportunity for fraudsters to exploit that.
“Password hygiene is therefore extremely important. Advice on this, and further guidance on how to mitigate against cyber attacks, can be found on the National Cyber Security Centre’s website.”
Detective Superintendent Richard Campbell, Head of PSNI’s Cyber Crime Centre said:
“This significant operation involving PSNI, the NCA and the Dutch and German Police has disrupted a major organised crime gang who were selling people’s personal details for profit.
“We were pleased to play our part by arresting a 22-year-old man in Fintona on suspicion of Fraud and for encouraging or assisting contrary to S46 of the Serious Crime Act 2015. He has since been released on bail pending further enquiries.
“This NCA-led investigation in partnership with PSNI and Dutch authorities demonstrates how law enforcement agencies can work together successfully to disrupt major crime taking place anywhere in the world. Let this be a clear warning there is no hiding place for cyber criminals.”
17 January 2020