Site hosting stolen credentials taken down in wake of international operation

A website which provided access to more than 12 billion personal credentials to cyber criminals for as little as $2 per day has now been taken down following a detailed investigation led by the National Crime Agency (NCA) in collaboration with various international law enforcement partners.

The NCA began investigating weleakinfo.com, which is believed to host credentials taken from around 10,000 data breaches, in August last year. The credentials are known to have been used in further cyber attacks in the UK, Germany and the US. Two individuals (one based in Northern Ireland and one in The Netherlands) were identified during the course of the operation who, officers believe, have made total profits in excess of £200,000 from the site.

NCA investigators passed this information to the Police Service of Northern Ireland (PSNI) and the East Netherlands Cyber Crime Unit (Politie), who then launched their own operations. The suspects, both 22-year-old men, were arrested on Wednesday 15 January in Fintona and Arnhem respectively.

Parallel investigations into weleakinfo.com were also being run by the German BKA and the FBI, who seized the domain and effected the takedown of the site at 11.30 pm on the same day.

Online payments tracing back to IP addresses believed to have been used by the two men point to them being heavily involved in the running of the site. NCA officers found evidence of payments being made from these accounts to infrastructure companies in Germany and New Zealand to host its data.

Law enforcement activity in the UK last year established links between the purchase of cyber crime tools, such as remote access Trojans and cryptors, and weleakinfo.com.

In November last year, NCA and North West Regional Organised Crime Unit officers executed 21 warrants across the UK as part of an international operation targeting those who had purchased the IM RAT. Several of the suspects identified had also paid for access to weleakinfo.com.

Significant criminal website

Andrew Shorrock, senior investigating officer at the NCA, said: “This significant criminal website has now been shut down as a result of an international investigation involving law enforcement agencies from five countries. Cyber crime is a threat that crosses borders and so close international collaboration is crucial to tackling it. These arrests have resulted in the seizure of the site’s data which included 12 billion personal credentials. Work is continuing in order to notify the sites that were breached. The data behind the site is a collaboration of more than 10,000 data breaches. Criminals rely on the fact that people duplicate passwords on multiple sites and data breaches such as these create the opportunity for fraudsters to exploit that.”

Shorrock added: “Password hygiene is extremely important. Advice on this, and further guidance on how to mitigate against cyber attacks, can be found on the National Cyber Security Centre’s website.”

Detective Superintendent Richard Campbell, head of PSNI’s Cyber Crime Centre, observed: “This significant operation involving the PSNI, the NCA and the Dutch and German Police has disrupted a major organised crime gang who were selling people’s personal details for profit. We were pleased to play our part by arresting a 22-year-old man in Fintona on suspicion of fraud and for encouraging or assisting contrary to Section 46 of the Serious Crime Act 2015. He has since been released on bail pending further enquiries.”

Campbell also stated: “This NCA-led investigation in partnership with the PSNI and the Dutch authorities demonstrates how law enforcement agencies can work together successfully to disrupt major crime taking place anywhere in the world. Let this be a clear warning that there’s no hiding place for cyber criminals.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts