Police Allege Hacker Sold Millions of Email CredentialsSecurity Service of Ukraine Arrests 'Sanix' for Serving as Broker on Darknet
The Security Service of Ukraine this week arrested a hacker known as "Sanix" who allegedly sold combinations of millions of email usernames and passwords on darknet forums.
Police say that on Tuesday, they arrested Sanix in Ivano-Frankivsk, a city in western part of Ukraine. The hacker's real name was not released.
Ukrainian law enforcement officials allege that Sanix had been acting as a data broker who would assemble millions of combinations of usernames and passwords taken during various data breaches around the world, and then package those up for sale on darknet forums. The hacker allegedly was selling over 773 million e-mail address usernames and 21 million unique passwords, according to the Security Service of Ukraine
Investigators allege that Sanix also sold databases that included PIN codes for bank cards, e-wallets for cryptocurrencies, compromised PayPal accounts as well as information about hacked computers for use in botnets and distributed denial-of-service attacks.
During a search of Sanix's residence this week, Ukrainian police confiscated computer equipment containing with nearly 2 TB of stolen data, cell phones and about $3,000 in U.S. currency along with another $7,000 in Ukrainian currency.
When he's arraigned, Sanix is likely to be charged with "unauthorized interference with computers and unauthorized sale or dissemination of information with limited access stored in computers," under the Ukrainian criminal code, according to the Security Service of Ukraine.
Security researchers have long suspected that a hacker named Sanix was responsible for assembling and then selling combinations of usernames and passwords that were part of a massive data dump called "Collection #1."
In January 2019, Australian information security expert Troy Hunt, who runs the HaveIBeenPwned breach notification service, brought to light a massive collection of breached data that contained about 2.7 billion rows of email IDs and password combinations, equalling about 87 GB of data. This combination of email credentials was eventually called Collection #1 (see: Data Breach Collection Contains 773 Million Unique Emails).
Databases confiscated this week from Sanix in Ukraine contained traces of stolen data connected to Collection #1, authorities say.
Much of the data contained in Collection #1 was old, but it was still valuable to fraudsters who could use the credentials in brute-force attacks and other schemes, researchers say.
Sanix is not believed to have been involved in the actual theft of the data; he only acted as a broker, collecting the data and assembling it for sale, Alex Holden, CTO and founder of the security firm Hold Security, told security blogger Brian Krebs.
A January 2019 report from security firm IntSights reported that a hacker named Sanix was involved in assembling and selling data related to the Collection #1 breach. The report noted that the stolen data started circulating in November 2018 and was first assembled and put up for sale the following month.
Earlier this month, analysts with cybersecurity firm Intel 471 observed that Sanix also was allegedly involved in other cybercrime activities, including selling access to dozens of universities around the world as well as a VPN account for the government of San Bernardino County in California, according to Krebs.