Owner of Defunct Firm Fined in LeakedSource.com CaseWebsite Sold Access to 3.1 Billion Stolen Login Credentials, Authorities Say
The former owner of the company behind the LeakedSource.com website, which trafficked in billions of stolen login credentials, will pay a fine equivalent to the money he made off the scam, according to the Royal Canadian Mounted Police.
See Also: Automating Security Operations
Evan Bloom of Thornhill, Ontario, who owned Defiant Tech, had been charged with trafficking in identity information, unauthorized use of computer, mischief to data and possession of property obtained by crime, according to a 2018 police statement.
As part of the plea agreement, Bloom agreed to pay a fine of $247,000, according to the spokesperson for the Royal Canadian Mounted Police. That represents the amount of Bloom's profits from the scam, police say. The charges against Bloom were dropped as part of the plea deal, the spokesperson said.
On behalf of Defiant Tech, the now defunct company behind LeakedSource, Bloom entered a guilty plea to charges of trafficking in identity information and possession of property obtained by crime, according to Canadian authorities. Under Canadian law, a company or corporation is considered a person and can enter a plea in a court of law, a spokesperson for the Royal Canadian Mounted Police said.
During its heyday, LeakedSource bought and sold more than 3.1 billion stolen credentials that earned its owner $247,000 in illicit gains between 2015 and 2016, according to Canadian authorities. The site worked in a legal gray area, advertising itself as breach notification service that offered subscriptions to paying customers (see: LeakedSource Operator Busted by Canadian Police). But LeakedSource also sold full access to stolen login credentials, according to law enforcement officials.
The investigation was also one of the first tests of the Royal Canadian Mounted Police's Division Cybercrime Investigative Team, which was created in 2016 to investigate cases such as these and work with international law enforcement.
Although LeakedSource insisted that its data came from rigorous research, many speculated that the company used leaked data from hackers and repackaged those login credentials for sale, according to published reports.
The data found on the site included personal data from LinkedIn and Dropbox. Users of the LeakedSource site could search for credentials using a username, IP address, phone number, email address, name or other personally identifying information, security researchers found.
If someone wanted to attack a site using a credential-stuffing technique, that information could cut down the time needed to compromise the account being targeted. If an attacker possessed data on a victim, LeakedSource could serve as a way to identify a password hash of the password commonly used by the victim, security researchers say.
That type of behavior, as well as complaints from companies - especially LinkedIn - which found their data posted on the LeakedSource site, eventually led the Royal Canadian Mounted Police, with help from the FBI and the Dutch National Police, to started an investigation called "Project Adoration (see: LinkedIn Breach: Worse Than Advertised).
Defiant Tech used several servers located in Quebec to host the stolen data, which is the reason why the Canadian authorities took the lead in the case, according to Canadian police.
Canadian authorities shut down the LeakedSource site in 2017 and eventually charged Bloom.