Naked Security Naked Security

FBI seizes credentials-for-sale site

The FBI has seized the domain for, a site that sold breached data records, after a multinational effort by law enforcement.

The FBI has seized the domain for, a site that sold breached data records, after a multinational effort by law enforcement.
Authorities have arrested two 22-year-old men alleged to have operated the site. Based in Fintona, Northern Ireland, and Arnhem in the Netherlands, they are believed to have made over £200,000 (about $260,000) between them from the site.
The Internet Archive’s Wayback Machine first shows surfacing in April 2017, advertising itself as “the Most Extensive Private Database Search Engine”.
The FBI and the District of Columbia explained that the site had harvested over 12 billion records from over 10,000 data breaches, including names, email addresses, usernames, phone numbers, and passwords. The site disclosed records relating to data breaches of sites including, StockX, Dubsmash, and MyFitnessPal.
Customers could subscribe to for as little as a day, paying a minimum of $2 in return for unlimited access. UK authorities also found links between the site and sales of remote access trojans (RATs) and cryptors (tools that obfuscate malware code to avoid detection). It was available both online and also via the dark web service Tor.

The FBI and the District of Columbia worked with the UK’s National Crime Agency and the Netherlands National Police Corps on the site seizure, along with the German Bundeskriminalamt (the Federal Criminal Police Office of Germany) and the Police Service of Northern Ireland.
In an announcement about the arrests, UK NCA said that it had started investigating in August 2019. It had spotted people using credentials from the site in cyberattacks in the UK, Germany, and the US. The Agency passed its information to the Bundeskriminalamt and the FBI, and they co-ordinated the seizure of at 11:30pm UK time on Wednesday 15 January, the same day that the men were arrested.
WeLeakInfo’s operators ran it like a business. It had its own Twitter account, where they would update their customers about their new database acquisitions, while also justifying their site as a public service:

They would even run special offers and promos:

They would also use third-party text storage sites to list new sets of stolen credentials.
The URL for the credential sales service now displays a notice from the FBI explaining that it has seized the domain.
WeLeakInfo isn’t the only site to have sold breached data. LeakedSource shut down in 2017, as did LeakBase.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast.

Leave a Reply

Your email address will not be published. Required fields are marked *