Today the United States Department of Justice announced the seizure of the popular leaking site weleakinfo.com. The seizure was the result of a coordinated effort among the United Kingdom’s National Crime Agency, the Netherlands National Police Corps, the German Bundeskriminalamt (the Federal Criminal Police Office of Germany), and the Police Service of Northern Ireland.
According to the press release issued by the DOJ, the domain was seized for its activities that included offering a search engine for its users to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts. Specifically, threat actors commonly subscribed to search for exposed usernames and passwords and then used that info to perform credential stuffing attacks, phishing attacks, and potentially network breaches: "The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months)."
As of today the site WeLeakInfo.com is effectively under control of U.S. authorities, demonstrating once again that offering such services on the clearnet is usually not a viable idea. It is also noteworthy that the administrators of the site were apparently clueless as during the time of the shutdown they tweeted that they were still investigating the issue.
WeLeakInfo offered various subscription plans to access their database of self-proclaimed 12.5 million individual records. This list was compiled from various data breaches, some were supposedly exclusive to WeLeakInfo. Users could choose between different plans, ranging from $2 to $70 a month for various degrees of access to the database.
For the maintainers of the site this was fairly lucrative for as long as it lasted - according to the DOJ press release, wo individuals were arrested in the Netherlands and Ireland who are suspected to be involved in the site and are believed to have made £200,000 from its operation.
But their fall was caused by their inability to hide these financial transactions as the authorities were able to identify them: “nline payments traced back to these individual's IP addresses indicate that they may be heavily involved in the site's operation.” Furthermore, the UK National Crime Agency states they have established links between We Leak Info and the purchase of further malware such as RATs and Cryptors.
According to the news site The Register, the NCA began looking closely at the site, which is said to have offered paid access to around 12 billion items of personal data, in August 2019.
There are also a dozen other individuals linked to WeLeakInfo, no further details of arrests have been released so far.
For the business model as such, this incident is unlikely to have an impact. Other similar sites (such as “Leak – Lookup”, “Snusbase”, “DeHashed”, or “Leakedsource” are already reporting an influx of new user registrations and traffic because of the disappearance of WeLeakInfo - there is certainly a demand to be filled.
If anything, this is one more incident to add to the list of OPSEC fails: Don't offer services that will be persecuted by law enforcement authorities on the clear net. But if you do, you should have taken all measures to remain anonymous including making sure that payments cannot be tracked back to your identity.