Police bust duo 'selling 12 billion passwords'
January 17, 2020
Two men were arrested in the Netherlands and Northern Ireland under suspicion of trying to sell 12 billion usernames and passwords online, Dutch police said on Friday.
The website, WeLeakInfo.com, was later shut down by the FBI.
A 22-year-old man was arrested in the eastern Dutch city of Arnhem after police received a tip from a Dutch cybercrime unit working with Britain's National Crime Agency, the FBI and German police.
Read more: Online platforms in Germany fail to meet EU data protection rules: study
A second suspect, also 22, was nabbed in Northern Ireland. Police raided two homes in Arnhem, including that of the suspect, and found professional equipment that would allow him to sell the data via the We Leak Info website.
Investigators found their way to the suspects by tracing payments back to an IP address believed to have been used by the two men, according to a statement issued by Britain's National Crime Agency (NCA).
Stolen data for sale
While there was no specific information about the suspect arrested in Northern Ireland, Dutch police said that the suspect found during the raids in Arnhem is thought to have played a "facilitating role" in the data hacking scheme.
The investigation began in August of last year, and the usernames and passwords offered for sale were used in cyberattacks in the UK, Germany and the US.
The website purported to offer unlimited access to all data listed on its site for $2 (€1.80) per day, or $25 per month, according to Dutch public broadcaster NOS.
While the site claimed to help users discover if their personal information had been stolen, it actually provided hackers easy access to "information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records," said the US Department of Justice in a statement.
Read more: Coming together against cybercrime
The NCA said that the stolen credentials were taken from around 10,000 separate data breaches, on popular sites such as LinkedIn and MyFitnessPal. The suspects were also believed to have made over £200,000 (€234,000, $261,000) from data sales on the site.
Since the site was shut down, the homepage displays a disclaimer reading "This domain has been seized," with the logos of several law enforcement organizations.
lc/stb (AFP)