Ukrainian intelligence officers have arrested a man they believe to be Sanix, a notorious cyber-criminal responsible for selling billions of log-ins online.
In concert with cyber police, agents from the Secret Service of Ukraine (SBU) swooped on the individual, who lived in the Ivano-Frankivsk region.
They seized 2TB of stolen user information, mobile phones “with evidence of illegal activities” and cash from illegal transactions amounting to around 190,0000 hryvnias ($7100) and more than $3000.
Officers also took from the arrested man’s apartment PINs for bank cards, cryptocurrency wallets, PayPal account details, and “information about computers hacked for further use in botnets and for organizing DDoS attacks.”
Sanix is widely believed to have been responsible for selling the “Collection” combo lists of email usernames and passwords that first emerged in January 2019.
The first data dump, dubbed “Collection #1,” contained 772 million unique email addresses, the largest single trove to be fed into the HaveIBeenPwned breach notification site, and more than 21 million unique passwords.
It subsequently emerged that this collection contained data that was two or three years old, gathered from multiple sources. However, the person trying to sell them, dubbed “Sanixer” on Telegram, told Brian Krebs at the time that the other packages up for sale were more current.
Together, he claimed they amounted to around 4TB of data, or many billions of records.
Such lists are typically bought and used in credential stuffing attacks, where they’re fed into an automated program and tried simultaneously on multiple sites and accounts in a bid to crack them open.
The reason cyber-criminals have success with this tactic is that computer users continue to reuse their passwords across multiple services.
The SBU said it found evidence of Collection #1 on Sanix’s machine along with “at least seven similar databases” of stolen and cracked/decrypted passwords.