Cops take down data wholesale operation

A website that made available more than 12 billion personal credentials for as little as $2 a day has been taken offline and two arrests made in Northern Ireland and the Netherlands as the result of an investigation by the UK’s National Crime Agency (NCA) and international partners.

The WeLeakInfo website is thought to have hosted data gleaned from over 10,000 leaks and breaches in recent years. Data bought from it is known to have been used in targeted cyber attacks against individuals in Germany, the UK and the US.

During the five-month operation, the NCA identified two individuals who it is believed had made profits in excess of £200,000 from the site. It said online payments traced back to IP addresses that they are believed to have used, implicating them in the running of the site. NCA investigators also found evidence of payments made to hosting companies in Germany and New Zealand.

This information was passed to the Police Service of Northern Ireland (PSNI) and the cyber crime unit East Netherlands, which arrested two 22-year-old men on 15 January in Fintona, County Tyrone, and Arnhem, respectively.

At the same time, Germany’s federal police force, the Bundeskriminalamt (BKA), and the FBI seized the website’s domain and took it offline.

“We know that WeLeakInfo.com formed an extremely valuable part of a cyber criminal’s toolkit. However, this significant criminal website has now been shut down as a result of an international investigation involving law enforcement agencies from five countries,” said the NCA’s senior investigating officer, Andrew Shorrock.

“Cyber crime is a threat that crosses borders and so close international collaboration is crucial to tackling it. These arrests have resulted in the seizure of the site’s data, which included 12 billion personal credentials, so work is continuing by law enforcement to mitigate these and notify the sites that were breached.

“The data behind the site is a collaboration of more than 10,000 data breaches. Criminals rely on the fact that people duplicate passwords on multiple sites, and data breaches such as these create the opportunity for fraudsters to exploit that.

“WeLeakInfo.com formed an extremely valuable part of a cyber criminal’s toolkit [but it] has now been shut down as a result of an international investigation involving law enforcement agencies from five countries”

“Password hygiene is therefore extremely important. Advice on this, and further guidance on how to mitigate against cyber attacks, can be found on the National Cyber Security Centre’s website.”

Detective superintendent Richard Campbell, head of the PSNI’s cyber crime centre, added: “This significant operation involving PSNI, the NCA and the Dutch and German police has disrupted a major organised crime gang who were selling people’s personal details for profit.

“We were pleased to play our part by arresting a 22-year-old man in Fintona on suspicion of fraud and for encouraging or assisting contrary to S46 of the Serious Crime Act 2015. He has since been released on bail pending further enquiries.

“This NCA-led investigation in partnership with PSNI and Dutch authorities demonstrates how law enforcement agencies can work together successfully to disrupt major crime taking place anywhere in the world. Let this be a clear warning there is no hiding place for cyber criminals.”

The arrests are linked to another major investigation conducted by the NCA towards the end of 2019, which established links between the purchase of remote access trojans (RATs) and other tools used by hackers, and the men behind WeLeakInfo.

An operation in November saw the NCA and the North West Regional Organised Crime Unit execute 21 warrants across the UK targeting buyers of the Imminent Monitor RAT in a global operation. Of the 21 UK suspects, 12 had paid for access to the WeLeakInfo website.