Alleged Hacker Behind Massive ‘Collection 1’ Data Dump Arrested

The threat actor known as ‘Sanix’ had terabytes of stolen credentials at his residence, authorities said.

A hacker accused of selling hundreds of millions of stolen credentials from last year’s “Collection 1” data dump on the dark web has been arrested in the Ukraine.

The Security Service of Ukraine (SSU) took into custody a threat actor known as “Sanix,” who they claim posted 773 million e-mail addresses and 21 million unique passwords on a hacker forum last year, according to a press release. The SSU said it worked with the Ukrainian cyber police and National Police on the investigation. Authorities did not release his real name.

Known as Collection 1, the database of breached emails was discovered on a popular underground hacking forum on Jan. 17, 2019. At the time Troy Hunt, the researcher behind the HaveIBeenPwned database, quantified the trove of data as 1,160,253,228 unique combinations of email addresses and passwords.

“Collection 1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It’s made up of many different individual data breaches from literally thousands of different sources. (And yes, fellow techies, that’s a sizeable amount more than a 32-bit integer can hold.),” he wrote in a January 17, 2019 blog post.

The database appears to be just the tip of the iceberg of stolen credentials Ukrainian authorities found at Sanix’s residence in the Ivano-Frankivsk region of western Ukraine upon his arrest, they said.

“The hacker had at least seven similar databases of stolen and broken passwords, the total amount of which reached almost terabytes,” according to the release. “These included personal, including financial, data from residents of the European Union and North America.”

In all, authorities seized computer equipment with 2 terabytes of stolen information along with phones that show evidence of illegal activities, as well as about $10,000 in cash from illegal transactions in both Ukrainian hryvnias and U.S. dollars, they said.

To track Sanix down, authorities recorded the sale of databases with logins and passwords to e-mail boxes, PIN codes for bank cards, e-wallets of cryptocurrencies and PayPal accounts, they said. They also tracked information on computers being used in botnets and for organizing DDoS attacks.

Initially there was some disagreement by security experts over who actually was responsible for selling the Collection 1 credentials on forums. After they were discovered, Sanix and two other forum users–“C0rpz” and “Clorox”—also claimed responsibility for the data dump.

Security researcher Brian Krebs of the KrebsonSecurity blog identified Sanix early on as the hacker who attempted to sell the 87-gigabyte database, which on the forum was created by C0rpz. However, a month later, researchers from Recorded Future said that C0rpz was the true seller of Collection 1.

“Sanix was the individual identified by Brian Krebs… and our analysis confirmed that this is the same individual who attempted to sell the database originally created by C0rpz,” researchers said at the time.

However, even after Sanix was subsequently banned from the forum, C0rpz posted links to MEGA sharing Collection #1 free of charge to the community, they said.

With the arrest of Sanix, it appears Krebs may have been right, however. At the time Krebs contacted the hacker to delve more into the origin of Collection 1, which Sanix said was already two to three years old. He also told the security researcher that he had other password packages—more than 4 terabytes’ worth—that included fresher credentials.

Sanix is currently cooperating with Ukrainian authorities to prepare “a report on suspicion of unauthorized interference with computers” and their unauthorized sale or dissemination, according to the SSU release.

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.

Suggested articles