Ukrainian Gets Four Years for Brute Forcing Thousands of Credentials

A Ukrainian man has been handed a four-year jail term for stealing thousands of server logins and putting them up for sale on the dark web.

Glib Oleksandr Ivanov-Tolpintsev, 28, from Chernivtsi, was arrested in October 2020 by Polish police and subsequently extradited to the US, where he pleaded guilty in February this year.

He’s said to have controlled a botnet designed to brute-force server logins en masse. Once cracked, these working credentials were then sold on a dark web marketplace. Ivanov-Tolpintsev boasted that he could obtain at least 2000 access credentials in this way per week, according to the Department of Justice (DoJ).

He is said to have listed thousands of logins for sale on an unnamed marketplace from 2017 to 2019, receiving over $82,000 from customers. Some of these credentials came from businesses operating in Florida, which is where the case was investigated by the FBI.

The marketplace itself listed not only server usernames and passwords, but personally identifiable information (PII), including dates of birth and Social Security numbers for US residents.

Cyber-criminals used access to these servers to launch ransomware attacks and commit tax fraud, according to the DoJ.

The site reportedly offered over 700,000 compromised servers for sale, including at least 150,000 in the US and 8000 in Florida, although victims spanned the globe.

Among the victims listed by the DoJ were local, state and federal governments, hospitals, emergency services, call centers, metropolitan transit authorities, accounting and law firms, pension funds, and universities.

Despite best practice advice to switch to multi-factor authentication, passwords are still the most popular way for corporate users to access IT assets.

A security vendor revealed in a March 2021 report that it found 1.5 billion breached login combos circulating online in the previous year, with 60% of credentials reused across multiple accounts.

This puts them at risk of credential stuffing and other brute force tactics, where automated botnets like Ivanov-Tolpintsev’s are set to work cracking open accounts.

What’s Hot on Infosecurity Magazine?