WeLeakInfo Website Taken Down in International Law Enforcement Operation
WeLeakInfo(.)com, a website that sold stolen personal data to subscribers, has been seized by the FBI in an action supported by the UK’s National Crime Agency, the Dutch National Police Corp, the German Bundeskriminalamt, and the Police Service of Northern Ireland.
The site advertised itself as something similar to Troy Hunt’s ‘haveibeenpwned’ service: “Have your passwords been compromised? Find out by searching…” The big differences, however, were that WeLeakInfo provided users with plaintext passwords for other people, and charged their users. For just $2, anybody could make as many WeLeakInfo searches as they wished for a whole day. From there, subscriptions increased to $7 for a week, $25 for a month, and $70 for three months access.
The searchable data was claimed to be a total of 12 billion records gathered from 10,000 data breeches. Retrieved data could include names, email addresses, usernames, phone numbers, and passwords for online accounts.
Users of the site began to notice problems on Wednesday, commenting on Twitter, for example, “There was a red maintenance sign on the top. I’m thinking maybe they did run into an issue and its bigger than they thought.. or they are all on vacation somewhere lolz.”
But by Thursday this was replaced by a full “This domain has been seized” notice. At the same time, the U.S. Deparmtent of Justice announced, “the seized domain name — weleakinfo.com — is now in the custody of the federal government, effectively suspending the website’s operation. Visitors to the site will now find a seizure banner that notifies them that the domain name has been seized by federal authorities.” The District Court for the District of Columbia had issued the seizure warrant.
Meanwhile, a 22-year-old man from Arnhem, the Netherlands, and a 22-year-old man from Flintona, Northern Ireland, had been arrested on Wednesday following tips from the UK’s NCA. The NCA announced today, “A website [WeLeakInfo}… has been taken down following an investigation led by the National Crime Agency (NCA), in collaboration with international law enforcement partners.”
The NCA began its investigation in August 2019. Credentials retrieved from the website are known to have been used in subsequent cyber-attacks in the U.S., the UK and Germany. The NCA believes that the two arrested individuals made total profits in excess of £200,000 from the website. “Online payments tracing back to IP address believed to have been used by the two men,” said the NCA in its statement, “point them being heavily involved in the running of the site. NCA officers found evidence of payments being made from these accounts to infrastructure companies in Germany and New Zealand to host its data.”
Robert Ramsden-Board, VP EMEA at Securonix, commented, “The internet is far-reaching; therefore, cybercrime and its impact on businesses and individuals is rarely contained within one nation. So, collaboration between the US, UK and other nations law enforcement organizations is a critical step towards effectively tackling cybercrime.”
What hasn’t been indicated at this stage is whether the various national authorities involved believe they have secured all copies of the data and code used by the WeLeakInfo site. If not, the service could rapidly reappear elsewhere under a different name. The DOJ statement noticeably states that anybody with information on WeLeakInfo.com “or its owners and operators are encouraged to provide that information by filing a complaint.”
Ilia Kolochenko, founder and CEO of ImmuniWeb, commented, “From a legal perspective, the commerce of stolen property is criminally punishable in most Western jurisdictions. The prosecution will likely argue that the admins were deliberately profiteering from the unlawful sale of stolen property, recklessly allowing third-parties to access victims’ sensitive data.”
“Weleakinfo.com was a useful resource for threat actors,” adds Ramsden-Board. “Hackers could perform unlimited searches for exposed data for as little as $2 a day. Hence, providing them with all the information they would need, such as exposed usernames and passwords, to be able to perform credential stuffing attacks and phishing attacks.”
Kolochenko continued, “Given the purely commercial nature of the project, malicious intent would be easy to prove, forming an irrefutable indictment with severe prison terms on the horizon. The admins would be advised to take experienced criminal defense lawyers and consider negotiating a guilty plea. In any case, this incident serves an unambiguous “tolerance zero” notice to all grey marketplaces.”