Government agencies seize domains used to sell credentials

Cybercrime , Cybercrime as a service , Fraud and cybercrime management

DOJ: Site now closed Sold data obtained from 10,000 data breaches

Prajeet Nair (@prajeetspeaks) •
June 4, 2022

The The US Department of Justice and the FBI announced they had seized three domains after an international investigation found the domains sold stolen personal information and provided access to distributed denial of service attacks on victims’ networks.

See also: Cat by the fire | Zero tolerance: control the landscape where you will meet your opponents

The three Internet domain names seized are and two related domain names, and

“Today, the FBI and the Department stopped two common and distressing threats: websites that traffic in stolen personal information and sites that attack and disrupt legitimate Internet businesses,” said Matthew M. Graves, U.S. District Attorney. of Columbia. “Cybercrime often crosses national borders. Through strong working relationships with our international law enforcement partners, we will address crimes like these that threaten privacy, security and commerce around the world. entire.” website

The site functioned as a database and search engine, and the stolen data was indexed so users could search for files and information “illegally obtained in over 10,000 data breaches containing seven billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts,” the DOJ says.

It’s unclear how long the WeLeakInfo domain has been running, but the website has gained a reputation for selling names, email addresses, usernames, phone numbers, and passwords for accounts. online to cybercriminals who would buy a subscription for a period of one day, one week. , a month, three months or a lifetime, depending on the DOJ.

Government agencies also announced that they seized in January 2020, shutting down a similar service then provided on that site. At that time, the same services were provided for as little as $2 a day to access data (see: Closure of the “WeLeakInfo” website).

This law enforcement action involving five countries led to the shutdown of At the time, the site offered cybercriminals access to more than 12 billion personal records extracted from 10,000 data breaches.

In July 2019, the WeLeakInfo website and its Twitter feed began reporting that 23 million personal records extracted from CafePress were available to subscribers (see: Hacked Off: Lawsuit Alleges CafePress Used Poor Security).

When law enforcement in the US, UK and Europe first shut down the WeLeakInfo site in January 2020, police in Northern Ireland and the Netherlands also announced the arrest of two men, both aged 22, suspected of running the domain and profiting from the sale of personally identifiable information, malware and other malicious tools. None of the suspects have been named.

The domains and, which allegedly offered to carry out a DDoS attack for customers in a format called booter or stressor attacks, were also seized.

Visitors to WeLeakInfo are now greeted with a message that the domain has been seized.

“With the execution of the warrant, the seized domain name is now in the custody of the federal government, effectively suspending operation of the website,” according to the DOJ. “Visitors to the site will now find a seizure banner informing them that the domain name has been seized by federal authorities. The United States District Court for the District of Columbia has issued the seizure warrant.”

International withdrawal

In addition to the DOJ and FBI, the closure of these areas was part of a coordinated law enforcement action with the National Police Corps of the Netherlands and the Federal Police of Belgium.

“Actions executed by our international partners included the arrest of a primary subject, searches at multiple locations, and seizures of web server infrastructure,” according to the DOJ.

In December 2020, the UK National Crime Agency reported the arrest of 21 people suspected of purchasing personally identifiable information from the WeLeakInfo website for various purposes, including buying and selling malicious cyber tools such as Remote Access Trojans, also known as RATs. as for buying “encryptors,” which can be used to obfuscate malware code, according to the NCA.

He said all are male, between the ages of 18 and 38, and the arrests took place over a five-week period from November 2020.

As well as the 21 people arrested by police, a further 69 people in England, Wales and Northern Ireland have received warnings from the NCA or other domestic law enforcement, saying they may have engaged in criminal activities related to the investigation.

Sixty of these people also received cease and desist orders from the police.

Recent domain seizures

Microsoft says it obtained an order in April from the United States District Court for the Northern District of Georgia allowing it to take control of 65 domains that the ZLoader gang used to grow, control and communicate with its botnet (see: Microsoft disrupts the ZLoader botnet in its global operation).

ZLoader, a descendant of the ubiquitous Zeus banking malware, is run by a global internet-based organized crime gang that operates malware as a service designed to steal and extort money.

“Domains are now directed to a Microsoft sinkhole where they can no longer be used by criminal botnet operators,” Microsoft said.

The United States had also seized three domains –, and – which hosted the hacker forum. The year-long joint operation by law enforcement from several countries led to the shutdown of the RaidForums darknet market and the seizure of these three domains hosting the website (see: Joint law enforcement operation dismantles RaidForums).

RaidForums has been used by hackers primarily to buy and sell stolen information, including financial data such as credit card details, bank account numbers, social security numbers, login credentials and personally identifiable information. identifiable.

The dismantling of RaidForums comes days after German police, leading a transagency effort, shut down the Russian darknet market Hydra, which is notorious for offering stolen credit and SIM cards, VPN access and mobile phones. cryptocurrency laundering services. Although there were no known arrests, Germany’s Federal Criminal Police Office seized 543 bitcoins, worth approximately $25 million, associated with the market. (see: Germany closes Russian darknet market Hydra).

Ashley C. Reynolds