A website which provided access to more than 12 billion personal credentials to cyber criminals for as little as $2 per day has now been taken down following a detailed investigation led by the National Crime Agency (NCA) in collaboration with various international law enforcement partners.
The NCA began investigating weleakinfo.com, which is believed to host credentials taken from around 10,000 data breaches, in August last year. The credentials are known to have been used in further cyber attacks in the UK, Germany and the US. Two individuals (one based in Northern Ireland and one in The Netherlands) were identified during the course of the operation who, officers believe, have made total profits in excess of £200,000 from the site.
NCA investigators passed this information to the Police Service of Northern Ireland (PSNI) and the East Netherlands Cyber Crime Unit (Politie), who then launched their own operations. The suspects, both 22-year-old men, were arrested on Wednesday 15 January in Fintona and Arnhem respectively.
Parallel investigations into weleakinfo.com were also being run by the German BKA and the FBI, who seized the domain and effected the takedown of the site at 11.30 pm on the same day.
Online payments tracing back to IP addresses believed to have been used by the two men point to them being heavily involved in the running of the site. NCA officers found evidence of payments being made from these accounts to infrastructure companies in Germany and New Zealand to host its data.
Law enforcement activity in the UK last year established links between the purchase of cyber crime tools, such as remote access Trojans and cryptors, and weleakinfo.com.
In November last year, NCA and North West Regional Organised Crime Unit officers executed 21 warrants across the UK as part of an international operation targeting those who had purchased the IM RAT. Several of the suspects identified had also paid for access to weleakinfo.com.
Significant criminal website
Andrew Shorrock, senior investigating officer at the NCA, said: “This significant criminal website has now been shut down as a result of an international investigation involving law enforcement agencies from five countries. Cyber crime is a threat that crosses borders and so close international collaboration is crucial to tackling it. These arrests have resulted in the seizure of the site’s data which included 12 billion personal credentials. Work is continuing in order to notify the sites that were breached. The data behind the site is a collaboration of more than 10,000 data breaches. Criminals rely on the fact that people duplicate passwords on multiple sites and data breaches such as these create the opportunity for fraudsters to exploit that.”
Shorrock added: “Password hygiene is extremely important. Advice on this, and further guidance on how to mitigate against cyber attacks, can be found on the National Cyber Security Centre’s website.”
Detective Superintendent Richard Campbell, head of PSNI’s Cyber Crime Centre, observed: “This significant operation involving the PSNI, the NCA and the Dutch and German Police has disrupted a major organised crime gang who were selling people’s personal details for profit. We were pleased to play our part by arresting a 22-year-old man in Fintona on suspicion of fraud and for encouraging or assisting contrary to Section 46 of the Serious Crime Act 2015. He has since been released on bail pending further enquiries.”
Campbell also stated: “This NCA-led investigation in partnership with the PSNI and the Dutch authorities demonstrates how law enforcement agencies can work together successfully to disrupt major crime taking place anywhere in the world. Let this be a clear warning that there’s no hiding place for cyber criminals.”