A 28-year-old Ukrainian national has been sentenced to four years in prison for siphoning thousands of server login credentials and selling them on the dark web for monetary gain as part of a credential theft scheme.
Glib Oleksandr Ivanov-Tolpintsev, who pleaded guilty to his offenses earlier this February, was arrested in Poland in October 2020, before being extradited to the U.S. in September 2021.
The illegal sale involved the trafficking of login credentials to servers located across the world and personally identifiable information such as dates of birth and Social Security numbers belonging to U.S. residents on a darknet marketplace.
The unnamed site purportedly offered over 700,000 compromised servers for sale, including at least 150,000 in the U.S. alone. Believed to have been operational from around October 2014, the underground marketplace was seized by law enforcement authorities on January 24, 2019, according to court documents.
This exactly coincides with the dismantling of the xDedic Marketplace on the same date following a year-long investigation by agencies from the U.S., Belgium, Ukraine, and Germany.
"The xDedic Marketplace sold access to compromised computers worldwide as well as personal data," Europol said at the time, adding, "users of xDedic could search for compromised computer credentials by criteria, such as price, geographic location, and operating system."
Victims spanned a wide gamut of sectors like governments, hospitals, emergency services, call centers, metropolitan transit authorities, law firms, pension funds, and universities.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
"Once purchased, criminals used these servers to facilitate a wide range of illegal activity that included ransomware attacks and tax fraud," the U.S. Justice Department (DoJ) noted in a press statement.
Ivanov-Tolpintsev is said to have obtained the server usernames and passwords by means of a botnet that was used to brute-force and password spraying attacks, listing on sale these hacked credentials on the marketplace from 2017 through 2019 and netting $82,648 in return.
The sentencing comes as the DoJ awarded a jail term of at least five years to a trio of cybercriminals for conspiracy to commit fraud and aggravated identity theft.
"From at least 2015 through 2020, [Jean Elie Doreus] Jovin, Alessandro Doreus, and Djouman Doreus conspired to knowingly, and with intent to defraud, possess tens of thousands of counterfeit and unauthorized access devices—including the names, Social Security numbers, account numbers, usernames, and passwords of identity theft victims," the department said.