Mar 19, 2024NewsroomThreat Intel / Cybercrime

A 31-year-old Moldovan national has been sentenced to 42 months in prison in the U.S. for operating an illicit marketplace called E-Root Marketplace that offered for sale hundreds of thousands of compromised credentials, the Department of Justice (DoJ) announced.

Sandu Boris Diaconu was charged with conspiracy to commit access device and computer fraud and possession of 15 or more unauthorized access devices. He pleaded guilty on December 1, 2023.

“The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers,” the DoJ said last week.

“Buyers could search for compromised computer credentials on E-Root, such as usernames and passwords that would allow buyers to access remote computers for purposes of stealing private information or manipulating the contents of the remote computer.”

Prospective customers could also search for RDP and SSH credentials based on various filter criteria such as price, geographic location, internet service provider, and operating system.

In an attempt to hide the transaction trails, the marketplace provided an online payment system called Perfect Money, which further made it possible to convert Bitcoin to and from Perfect Money. The infrastructure associated with E-Root and Perfect Money has since been seized by law enforcement as of late 2020.

More than 350,000 credentials are estimated to have been advertised for sale on the illegal marketplace, with many of the victims subjected to ransomware attacks and identity tax fraud schemes.

Diaconu, who served as the administrator between January 2015 and February 2020, was arrested in the U.K. in May 2021 while trying to flee the country. He was extradited to the U.S. in late October 2023.

“The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers,” the DoJ said.

The development comes as the DoJ also said it’s recovering $2.3 million worth of cryptocurrency linked to a pig butchering romance scam that victimized at least 37 individuals across the U.S.

Such schemes seek to build trust with victims in online communications and then entice them into investing in a cryptocurrency scam under the guise of quick returns. Instead, the funds are diverted to the scammers’ wallets, leading to financial losses.

According to Web3 anti-fraud company Scam Sniffer, approximately 57,000 victims have lost about $47 million to crypto phishing scams in the month of February 2024 alone.

“Compared to January, the number of victims who lost over $1 million decreased by 75%,” it said in a series of posts on X (formerly Twitter). “Most victims were lured to phishing websites through phishing comments from impersonated Twitter accounts.”

Jan 05, 2024NewsroomCyber Attack / Data Breach

Ukrainian cybersecurity authorities have disclosed that the Russian state-sponsored threat actor known as Sandworm was inside telecom operator Kyivstar’s systems at least since May 2023.

The development was first reported by Reuters.

The incident, described as a “powerful hacker attack,” first came to light last month, knocking out access to mobile and internet services for millions of customers. Soon after the incident, a Russia-linked hacking group called Solntsepyok took responsibility for the breach.

Solntsepyok has been assessed to be a Russian threat group with affiliations to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which also operates Sandworm.

The advanced persistent threat (APT) actor has a track record of orchestrating disruptive cyber attacks, with Denmark accusing the hacking outfit of targeting 22 energy sector companies last year.

Illia Vitiuk, head of the Security Service of Ukraine’s (SBU) cybersecurity department, said the attack against Kyivstar wiped out nearly everything from thousands of virtual servers and computers.

The incident, he said, “completely destroyed the core of a telecoms operator,” noting the attackers had full access likely at least since November, months after obtaining an initial foothold into the company’s infrastructure.

“The attack had been carefully prepared during many months,” Vitiuk said in a statement shared on the SBU’s website.

Kyivstar, which has since restored its operations, said there is no evidence that the personal data of subscribers has been compromised. It’s currently not known how the threat actor penetrated its network.

It’s worth noting that the company had previously dismissed speculations about the attackers destroying its computers and servers as “fake.”

The disclosure comes as the SBU revealed earlier this week that it took down two online surveillance cameras that were allegedly hacked by Russian intelligence agencies to spy on the defense forces and critical infrastructure in the capital city of Kyiv.

The agency said the compromise allowed the adversary to gain remote control of the cameras, adjust their viewing angles, and connect them to YouTube to capture “all visual information in the range of the camera.”