1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Police bust duo 'selling 12 billion passwords'

January 17, 2020

The website purported to give access to stolen data from 10,000 data breaches, giving hackers easy access to user credentials. The police operation tracking the cybercrime involved the UK, US, Netherlands and Germany.

Symbolbild - Überwachung - Spionage
Image: Colourbox/O. Artem

Two men were arrested in the Netherlands and Northern Ireland under suspicion of trying to sell 12 billion usernames and passwords online, Dutch police said on Friday.

The website, WeLeakInfo.com, was later shut down by the FBI.

A 22-year-old man was arrested in the eastern Dutch city of Arnhem after police received a tip from a Dutch cybercrime unit working with Britain's National Crime Agency, the FBI and German police.

Read moreOnline platforms in Germany fail to meet EU data protection rules: study

Cyber-attacks – how companies can defend themselves

A second suspect, also 22, was nabbed in Northern Ireland. Police raided two homes in Arnhem, including that of the suspect, and found professional equipment that would allow him to sell the data via the We Leak Info website.

Investigators found their way to the suspects by tracing payments back to an IP address believed to have been used by the two men, according to a statement issued by Britain's National Crime Agency (NCA).

Stolen data for sale

While there was no specific information about the suspect arrested in Northern Ireland, Dutch police said that the suspect found during the raids in Arnhem is thought to have played a "facilitating role" in the data hacking scheme.

The investigation began in August of last year, and the usernames and passwords offered for sale were used in cyberattacks in the UK, Germany and the US.

The website purported to offer unlimited access to all data listed on its site for $2 (€1.80) per day, or $25 per month, according to Dutch public broadcaster NOS.

While the site claimed to help users discover if their personal information had been stolen, it actually provided hackers easy access to "information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records," said the US Department of Justice in a statement.

Read moreComing together against cybercrime

The NCA said that the stolen credentials were taken from around 10,000 separate data breaches, on popular sites such as LinkedIn and MyFitnessPal. The suspects were also believed to have made over £200,000 (€234,000, $261,000) from data sales on the site.

Since the site was shut down, the homepage displays a disclaimer reading "This domain has been seized," with the logos of several law enforcement organizations.

Made in Germany - Cybercrime

Every evening, DW's editors send out a selection of the day's hard news and quality feature journalism. You can sign up to receive it directly here.

lc/stb (AFP)