Mar 19, 2024NewsroomThreat Intel / Cybercrime

A 31-year-old Moldovan national has been sentenced to 42 months in prison in the U.S. for operating an illicit marketplace called E-Root Marketplace that offered for sale hundreds of thousands of compromised credentials, the Department of Justice (DoJ) announced.

Sandu Boris Diaconu was charged with conspiracy to commit access device and computer fraud and possession of 15 or more unauthorized access devices. He pleaded guilty on December 1, 2023.

“The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers,” the DoJ said last week.

“Buyers could search for compromised computer credentials on E-Root, such as usernames and passwords that would allow buyers to access remote computers for purposes of stealing private information or manipulating the contents of the remote computer.”

Prospective customers could also search for RDP and SSH credentials based on various filter criteria such as price, geographic location, internet service provider, and operating system.

In an attempt to hide the transaction trails, the marketplace provided an online payment system called Perfect Money, which further made it possible to convert Bitcoin to and from Perfect Money. The infrastructure associated with E-Root and Perfect Money has since been seized by law enforcement as of late 2020.

More than 350,000 credentials are estimated to have been advertised for sale on the illegal marketplace, with many of the victims subjected to ransomware attacks and identity tax fraud schemes.

Diaconu, who served as the administrator between January 2015 and February 2020, was arrested in the U.K. in May 2021 while trying to flee the country. He was extradited to the U.S. in late October 2023.

“The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers,” the DoJ said.

The development comes as the DoJ also said it’s recovering $2.3 million worth of cryptocurrency linked to a pig butchering romance scam that victimized at least 37 individuals across the U.S.

Such schemes seek to build trust with victims in online communications and then entice them into investing in a cryptocurrency scam under the guise of quick returns. Instead, the funds are diverted to the scammers’ wallets, leading to financial losses.

According to Web3 anti-fraud company Scam Sniffer, approximately 57,000 victims have lost about $47 million to crypto phishing scams in the month of February 2024 alone.

“Compared to January, the number of victims who lost over $1 million decreased by 75%,” it said in a series of posts on X (formerly Twitter). “Most victims were lured to phishing websites through phishing comments from impersonated Twitter accounts.”

Jan 23, 2024NewsroomCyber Crime / Dark Web

Conor Brian Fitzpatrick has been sentenced to time served and 20 years of supervised release for his role as the creator and administrator of BreachForums.

Fitzpatrick, who went by the online alias “pompompurin,” was arrested in March 2023 in New York and was subsequently charged with conspiracy to commit access device fraud and possession of child pornography. He was later released on a $300,000 bond, and in July 2023, he pleaded guilty to the charges.

BreachForums was a major cyber crime marketplace that facilitated the trafficking of stolen data since March 2022. Prior to its shutdown, the website boasted of over 340,000 members.

Among the stolen items commonly sold on the platform were bank account information, Social Security numbers, personally identifying information (PII), hacking tools, breached databases, and account login information for compromised online accounts with service providers and merchants.

BreachForums also advertised services for gaining unauthorized access to victim systems. In all, millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies are estimated to have been impacted.

On top of that, Fitzpatrick operated a “Leaks Market,” acting as a trusted middleman (i.e., escrow) between individuals on the website who sought to trade hacked or stolen data, tools, and other illicit material.

“In addition, Fitzpatrick allegedly managed an ‘Official’ databases section through which BreachForums directly sold access to verified hacked databases through a “credits” system administered by the platform,” the U.S. Department of Justice said.

Court records obtained by DataBreaches.net show that Fitzpatrick’s mental health may have had a role in him escaping a prison sentence. A day before sentencing, prosecutors recommended a 15-year prison sentence for the defendant.

The 21-year-old is expected to serve the first two years of supervised release on home arrest with a GPS location tracker and undergo mental health treatment. He has also been ordered to refrain from using the internet for the first year and register with the state sex offender registration agency in any state where he resides.

The amount of restitution Fitzpatrick has to pay for victims’ losses has yet to be determined. Earlier this month, Fitzpatrick was jailed for violating the terms of his pre-sentencing release by using an unmonitored computer and a virtual private network (VPN).

That having said, law enforcement seizure of the domains in March 2023 has done little to stop the illegal service from going off the grid. In November 2023, BreachForums was resurrected by the infamous ShinyHunters group, who were previously known to be active on the Raid Forums, the takedown of which led to the launch of BreachForums.

Dec 24, 2023NewsroomCyber Crime / Data Breach

Two British teens part of the LAPSUS$ cyber crime and extortion gang have been sentenced for their roles in orchestrating a string of high-profile attacks against a number of companies.

Arion Kurtaj, an 18-year-old from Oxford, has been sentenced to an indefinite hospital order due to his intent to get back to cybercrime “as soon as possible,” BBC reported. Kurtaj, who is autistic, was deemed unfit to stand trial.

Another LAPSUS$ member, a 17-year-old unnamed minor, was sentenced to an 18-month-long Youth Rehabilitation Order, including a three-month intensive supervision and surveillance requirement. He was found guilty of two counts of fraud, two Computer Misuse Act offenses, and one count of blackmail.

Both defendants were initially arrested in January 2022, and then released under investigation. They were re-arrested in March 2022. While Kurtaj was later granted bail, he continued to attack various companies until he was arrested again in September.

The attack spree, which took place between August 2020 and September 2022, targeted BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Revolut, Rockstar Games, Samsung, Ubisoft, Uber, and Vodafone.

LAPSUS$ is said to comprise members from the U.K. and Brazil. A third member of the group, also suspected to be a teen, was arrested in the South American nation in October 2022.

A report published by the U.S. Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) this year revealed the threat actor’s use of SIM-swapping attacks to take over victim accounts and infiltrate target networks. It also used a Telegram channel to publicize its operations and extort its victims.

Over the past year, the notoriety attracted by LAPSUS$ has also led to the emergence of another group called Scattered Spider. Both groups are part of a larger entity that calls itself the Comm.

According to the Federal Bureau of Investigation, the Comm consists of a “geographically diverse group of individuals, organized in various subgroups, all of whom coordinate through online communication applications such as Discord and Telegram” to engage in corporate intrusions, SIM swapping, crypto theft, real-life violence, and swatting.

“This case serves as an example of the dangers that young people can be drawn towards whilst online and the serious consequences it can have for someone’s broader future,” Amanda Horsburgh, detective chief superintendent from the City of London Police, said.

“Many young people wish to explore how technology works and what vulnerabilities exist. This can include learning to code, interacting with like-minded individuals online and experimenting with tools. Unfortunately, the digital world can also be tempting to young people for the wrong reasons.”