21 arrested after allegedly using stolen logins to commit fraud

0 Comments

UK police also give some food for thought to those on the verge of breaking the law

The long arm of the law has caught up with 21 people who are believed to have bought purloined login credentials on the now-defunct WeLeakInfo.com website and used them to break into other people’s online accounts and commit various cybercrimes.

Some of those arrested are also suspected of having used the criminal marketplace for trading in tools such as Remote Access Trojans (RATs) and crypters. The nationwide sting took place over a five-week period starting in the middle of November, according to the United Kingdom’s National Crime Agency.

“Through the identification of UK customers of WeLeakInfo, we were able to locate and arrest those who we believe have used stolen personal credentials to commit further cyber and fraud offences,” Paul Creffield from the NCA’s National Cyber Crime Unit was quoted as saying.

“Of those 21 arrested – all men aged between 18-38 – nine were detained on suspicion of Computer Misuse Act offences, nine for Fraud offences and three are under investigation for both,” said the agency. Some £41,000 (US$55,000) worth of bitcoin was seized.

In addition, the police visited another 69 people who had bought stolen personal information on WeLeakInfo to warn them against using the data. Many more such personal warnings are due to be dispensed over the coming months, said the agency.

In a way, the operation brings echoes of a global crackdown in 2018 on webstresser.org, the then-largest marketplace for hiring distributed denial-of-service (DDoS) attacks, and the subsequent public warning by law enforcement for buyers of such services.

RELATED READING: Cybercrime deterrence: 6 important steps

WeLeakInfo itself was impounded early this year, with two alleged operators nabbed in Northern Ireland and the Netherlands. In its heyday, the site claimed to allow searching through more than 12 billion records stolen in 10,000 data breaches. The data, which mainly consisted of username and password combinations, could be had dirt-cheap, with subscriptions starting from as little as US$2 – now compare that to the damage after somebody pilfers your personal details for identity theft.

“Cyber criminals rely on the fact that people duplicate passwords on multiple sites and data breaches create the opportunity for fraudsters to exploit that,” said the NCA.

Indeed, one thing you can do to slash the risk of falling victim to identity theft is avoid making one of the most common and costly mistakes in people’s password habits – reusing login details across multiple accounts. This rampant practice is then often exploited for credential stuffing attacks, which were behind no fewer than 30 billion login attempts in 2018.

To help avoid falling prey to these and other attacks that may ultimately cost you dearly, read our article about various password-related mistakes. Additionally, here’s how you can check if your login details may have been compromised in a known security breach.