US Law Enforcement Shutters Carder MarketplaceUS, Europe Take Action on Marketplace for Selling Personal Data
Portuguese authorities seized an online marketplace selling millions of Social Security numbers, payment cards and other credentials as U.S. authorities unsealed a criminal case against a Moldovan man accused of operating the site.
The now-defunct WT1Shop offered approximately 5.85 million credentials for sale, federal prosecutors say in their complaint against Nicolai Colesnicov. Law enforcement in the U.S. has also seized four domains used by the website:
wt1store.net. The U.S. probe into Colesnicov, 36, relied on undercover purchases of driver's licenses, passports, bank logon credentials and American Express cards. He faces a maximum of 10 years in prison if convicted. He has not been arrested; a spokeswoman for the District of Maryland, where Colesnicov would be prosecuted, declined to say his whereabouts or whether he's evading detention.
As of June 2020, marketplace sellers retailed 2.4 million credentials for total proceeds of more than $4 million, the Department of Justice says.
The marketplace was gaining popularity, and the number of registered users climbed from 60,000 in June 2020 to 106,000 in December 2021.
The investigation into the WT1Shop was a global affair involving law enforcement in the Netherlands - where the data center hosting WT1SHOP was located before Colesnicov changed to a Portuguese provider - Moldova, Estonia and California, where Google provided records associated with the email address used to register two of the marketplace domains. Dutch law enforcement took an image of the marketplace server, revealing its database. Cloudflare provided records associated with the marketplace domains.
Following the Digital Trail
The complaint says the marketplace supported cryptocurrency transactions for the sale and purchase of the stolen data, which included the use of bitcoin in the payment mechanism. That eventually led to the downfall of Colesnicov's marketplace.
An unidentified cryptocurrency exchange based in Estonia helped pinpoint his identity by providing logs showing Colesnicov's IP addresses, which investigators linked to the IP addresses used to access his Gmail account. Colesnicov's also used his Gmail account to book travel under his real name and passport number.
Investigators were able to identify the Bitcoin exchange through an undercover purchase of login credentials and driver's licenses. They identified a second exchange used by Colesnicov since the accounts on both exchanges had the same username and public name. Both were accessed from the same IP addresses.
Colesnicov's Gmail address was also a backup email for a second email address used to register an account with the Netherlands data center hosting the online marketplace. Records supplied by Google showed IP addresses associated with the second email address were also the IP addresses used to access the Gmail account and the two Bitcoin exchanges. The second email address revealed payment receipts for data center hosting made with cryptocurrency stored with the Estonian Bitcoin exchange.
The image of the marketplace database revealed a third email address for an admin account. Logs from the database showed the IP addresses used for the admin account were also used to log onto the Gmail account.
A fourth email address associated with the Estonian Bitcoin exchange was also the same email address used to register with Cloudflare for services on the four confiscated web domains.