Ukrainian cyber police have arrested three men suspected of hijacking the accounts of over 100 million internet users.
The trio, aged between 20 and 40, were arrested by police in the country’s Kharkiv region under the guidance of the regional prosecutor’s office.
Operating as part of a cybercrime group, they are said to have used brute-force techniques to hijack victims’ email and Instagram accounts that were protected by easy-to-guess passwords. These attacks typically use automated software to try various combinations of commonly used credentials in order to gain access.
The men managed to amass a staggering haul of compromised accounts after operating for just a year, Ukraine’s cyber police said.
Read more on Ukrainian police operations: Ukrainian Police Bust Multimillion-Dollar Phishing Gang
Although the three lived in different parts of the country, they each played a particular role: the organizer dividing responsibilities among the other two, who compiled databases of hacked accounts and sold them on the dark web.
According to police, these were mainly purchased by fraud groups for use in follow-on scams targeting other victims.
However, the alleged cybercrime group is apparently also under investigation for colluding with Russian state actors.
Law enforcement officers carried out seven searches at the homes of suspects in Kyiv, Odesa, Vinnytsia, Ivano-Frankivsk, Donetsk and Kirovohrad regions. Over 70 pieces of computer equipment, 14 phones, bank cards and more than $3000 in cash were seized.
The three are being held under Part 3 of Article 28 and Part 5 of Article 361 of the Criminal Code of Ukraine and face up to 15 years in prison if found guilty.
Brute-force hacking techniques remain a popular way to hijack online accounts. In January, threat intelligence firm Mandiant admitted that its own X (formerly Twitter) account had been compromised in this way, in order to trick followers into visiting a cryptocurrency drainer phishing page.