Feds Dismantle Dark Web Credentials Market

Meanwhile, authorities are aggressively going after former users of the Webstresser DDoS-for-hire service.

Law-enforcement agencies across the world have taken aim at Dark Web denizens this week, with the takedown of a credentials marketplace as well as continued action against former users of the Webstresser.org DDoS-for-hire site.

An international law-enforcement operation has dismantled the xDedic Marketplace, a website for the illicit sale of compromised computer credentials and personally identifiable information (PII). According to the FBI on Monday, buyers could search for compromised computer credentials on xDedic by desired criteria, such as price, geographic location and operating system.

Authorities believe that the website facilitated more than $68 million in fraud over the course of its operation, with victims that span the globe and all industries, including local, state and federal government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities.

On January 24, seizure orders were executed against the domain names for the xDedic Marketplace, effectively sinkholing it.

The FBI noted that the market operated across a widely distributed network, using the anonymity of Bitcoin transactions to hide the locations of its underlying servers and the identities of its administrators, buyers and sellers. Because the xDedic administrators strategically maintained servers all over the world, the takedown operation was undertaken by the FBI in conjunction with Europol and various country-specific agencies in Belgium, Germany and the Ukraine.

Meanwhile, the U.K.’s National Crime Agency (NCA), working with law enforcement partners from 14 countries, announced that it is actively going after the users of Webstresser.org, which was the most popular DDoS-for-hire service on the market until it was shut down last April. At its height, it had 136,000 international users, and is believed to be behind at least 4 million cyberattacks around the world. It sold the capability to knock websites offline and take down domains for as little as $18 per month.

NCA has subsequently gone after a number of those users; in total, the NCA and regional departments have executed eight warrants and seized more than 60 personal computers, tablets and mobile phones since November 2018, while other users have received cease-and-desist notices. A further 400 users of the service are now being targeted by the NCA and partners, the agency said.

This is the latest action in the “Operation Power Off” takedown of Webstresser.org. In April, a multi-national investigation led to the arrest of the administrators of the site. Investigators also shut down the service completely and seized its infrastructure, which was installed in the Netherlands, the U.S. and Germany.

“Cybercrime is not constricted by borders,” said Jim Stokley, deputy director of the NCA’s National Cyber Crime Unit, in a statement Monday. “The coordinated international response to this threat shows how law enforcement works around the globe to combat criminally orchestrated disruption impacting the public sector, commerce and the public.”

He added, “The action taken shows that although users think that they can hide behind usernames and cryptocurrency, these do not provide anonymity. We have already identified further suspects linked to the site, and we will continue to take action.”

Interested in learning more about data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

 

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.