A year ago, LeakedSource – a site that sold access to credentials stolen in data breaches – suddenly blinked out of sight, reportedly after the FBI raided it and seized its servers.
On Monday, the Royal Canadian Mounted Police (RCMP) announced that a man who was allegedly the site’s sole operator appeared in a Toronto court that day.
27-year-old Jordan Evan Bloom, of Thornhill, Ontario, was arrested on 22 December 2016 and charged on Monday with selling people’s data for a “small fee,” according to the RCMP. Those small fees must have added up: Bloom allegedly raked in approximately $247,000 from administering the site, which allegedly trafficked approximately three billion stolen personal identity records.
LeakedSource sold subscriptions to any and all comers. That allowed breach-as-a-service customers to browse through troves of data breach files. Buyers could also easily search for a victim’s name, username and email address so as to access other information, including their cleartext passwords.
The investigation into LeakedSource – an investigation Canadian authorities dubbed Project “Adoration” – began in 2016. That’s when the RCMP learned that LeakedSource was being hosted on Quebec servers. The Dutch National Police and the FBI helped out with the investigation.
LeakedSource was initially set up in 2015 and shut down in early 2017 – a lifespan during which it collected and sold those three billion personal identity records and their associated passwords from a string of major breaches. According to the International Business Times, the breaches included those at LinkedIn, MySpace, DropBox and AdultFriendFinder.
Bloom is facing charges of trafficking in ID information, unauthorized computer use, mischief to data, and possession of property obtained by crime.
Reuters talked to Toronto cybersecurity lawyer Imran Ahmad, who said that the charges against Bloom carry maximum sentences of between five and 10 years in prison.
Although the RCMP described Bloom as the sole proprietor, Ahmad told Reuters in an email that the sole proprietor notion isn’t a likely scenario. Rather, he said, Bloom was likely working with others to run the site, and the money police say he collected was probably only a slice of the overall profits. From his email:
Cybercriminals typically have an underground network of collaborators and given the size of the database and scope of the endeavor, I suspect others were likely involved.
LeakedSource is one of two breach-as-a-service criminal outfits that disappeared last year. Last month, LeakBase.pw also went dark. It had begun to redirect to Troy Hunt’s Have I Been Pwned? site after sending out this toodle-oo tweet:
This project has been discontinued, thank you for your support over the past year and a half.
Is this it? Is breach-as-a-service done? Can we stick a fork in it? If it is, would that be a good thing or a bad thing?
As Naked Security’s John E. Dunn said back when LeakBase went bye-bye, these sites were, for better or worse, uncovering breaches. Unfortunately, their business model was to sell access to breached data to crooks for them to exploit. How sound is a business model that’s based on the crime of handling breached data? How likely is it that such a business will escape police attention for long?
Not too likely, I’d say, given the track record of these two short-lived outfits.