The FBI has seized the domain for WeLeakInfo.com, a site that sold breached data records, after a multinational effort by law enforcement.
Authorities have arrested two 22-year-old men alleged to have operated the site. Based in Fintona, Northern Ireland, and Arnhem in the Netherlands, they are believed to have made over £200,000 (about $260,000) between them from the site.
The Internet Archive’s Wayback Machine first shows WeLeakInfo.com surfacing in April 2017, advertising itself as “the Most Extensive Private Database Search Engine”.
The FBI and the District of Columbia explained that the site had harvested over 12 billion records from over 10,000 data breaches, including names, email addresses, usernames, phone numbers, and passwords. The site disclosed records relating to data breaches of sites including Chegg.com, StockX, Dubsmash, and MyFitnessPal.
Customers could subscribe to WeLeakInfo.com for as little as a day, paying a minimum of $2 in return for unlimited access. UK authorities also found links between the site and sales of remote access trojans (RATs) and cryptors (tools that obfuscate malware code to avoid detection). It was available both online and also via the dark web service Tor.
The FBI and the District of Columbia worked with the UK’s National Crime Agency and the Netherlands National Police Corps on the site seizure, along with the German Bundeskriminalamt (the Federal Criminal Police Office of Germany) and the Police Service of Northern Ireland.
In an announcement about the arrests, UK NCA said that it had started investigating WeLeakInfo.com in August 2019. It had spotted people using credentials from the site in cyberattacks in the UK, Germany, and the US. The Agency passed its information to the Bundeskriminalamt and the FBI, and they co-ordinated the seizure of WeLeakInfo.com at 11:30pm UK time on Wednesday 15 January, the same day that the men were arrested.
WeLeakInfo’s operators ran it like a business. It had its own Twitter account, where they would update their customers about their new database acquisitions, while also justifying their site as a public service:
We just added 315 new data breaches!
— We Leak Info (@weleakinfo) November 24, 2019
See if your information was leaked for free at https://t.co/Il5zj4Bl4h #weleakinfo #infosec #databreach #OSINT
They would even run special offers and promos:
Happy New Years! Thank you for all your support!
— We Leak Info (@weleakinfo) January 1, 2020
Use code "NEWYEARS" to get 15% off of all plans except Trial.
Expires on January 2nd, 2020 00:00:00 EDT#NewYear #infosec #OSINT
They would also use third-party text storage sites to list new sets of stolen credentials.
The URL for the credential sales service now displays a notice from the FBI explaining that it has seized the domain.
WeLeakInfo isn’t the only site to have sold breached data. LeakedSource shut down in 2017, as did LeakBase.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.