On Wednesday, police in the Netherlands and Northern Ireland arrested two 22-year-old men believed to be connected to WeLeakInfo, a site offering usernames and passwords from multiple data breaches for sale. At the same time, the Federal Bureau of Investigation, in coordination with the UK’s National Crime Agency, the Netherlands National Police Corps, the German Bundeskriminalamt, and the Police Service of Northern Ireland, took down the domain for the site, redirecting it to a seizure notice (shown above).
At first, some thought the takedown was simply a breach of the site itself—mostly because the FBI took the time to add the site’s logo to the takedown notice.
There’s a mess happening over at We Leak Info since yesterday. It looks like they got hacked, and someone threw up an FBI seizure page. The seizure notice doesn’t look legit.
… Not a good look for them…https://t.co/XGGIRaJKQk #WeLeakInfo #WLI pic.twitter.com/SUzaAQD8Pd
— Cypher (@CryptoCypher) January 16, 2020
But on Thursday afternoon, the Justice Department announced the takedown and put out a call for further information on WeLeakInfo and its operators. WeLeakInfo claimed to have over 12 billion usernames and passwords from a collection of over 10,000 data breaches. Originally hosted at a Canadian hosting company’s data center when set up in 2016, the domain was moved behind Cloudflare a day later. The site, originally advertised as “the most extensive private database search engine,” purported to be a legitimate tool for companies to perform security research—even claiming to offer an application interface for performing bulk checks for breaches of company accounts.
But the site was alleged to be selling more than just breach warnings. In an announcement of the seizure of the domain posted Thursday by the US Justice Department, the DOJ alleged that WeLeakInfo allowed its users to access “a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records—including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts.” The site’s subscription plans allowed users unlimited access to the data.
While the domain has been seized and computers connected to its operation were confiscated by Dutch police, the fate of the site’s server remains unknown.