xDedic, the illegal site that sold credentials for server access, was shut down in Ukraine by the FBI, Europol and other bodies
European authorities seized one of the major hubs for cybercriminal activity xDedic known for selling personal information and access to compromised servers on Thursday, 24th of January. The operation that involved the FBI and the law enforcement from multiple European countries also resulted in the arrest of three individuals suspected in the illegal activities related to the domain.
The official report from Department of Justice stated:
The international operation to dismantle and seize this infrastructure is the result of close cooperation with law enforcement authorities in Belgium and Ukraine, as well as the European law enforcement agency Europol. On January 24, 2019, seizure orders were executed against the domain names of the xDedic Marketplace, effectively ceasing the website’s operation.
The illegal marketplace was established back in 2014 and was operating throughout these years. However, it became better known only after the report published by Kaspersky Lab in 2016. At the time, the website offered 70,000 hacked RDP server accounts by mostly Russian-speaking hackers.
The servers were related to various areas, such as education, banking, email server providers, E-commerce websites, advertising networks, ISP providers, messenger services and many others.
The illegal service involved a lucrative business model
The illegal service was located on xdedic[.]biz domain which could be accessed by anybody. Users are asked to provide an email address or Jabber count during the registration process. Once completed, they had to pay a $10 fee within 72 hours, otherwise, the account would be automatically deleted.
Bad actors can then log in to view a Dashboard that contained a list of server credentials available for sale, with details such as IP, location, technical information, anti-virus install, admin privilege availability and the price. According to domain owners, they were not involved in selling the credentials, but merely provided a platform for thousands of criminals to do so.
The prices per server were as low as $8 in 2016. However, according to another report published by Flashpoint researchers in 2017, the prices went down to as little as $6 per piece and the count of servers went up to 85,000. As evident, the operation of the site was booming and also resulted in $68 million in fraud during the time of its operation.
Additionally, the willing participants could also buy a set of hacking tools for the malicious activities:
In the case of some proxifiers or mass-email sending software, these pre-installed features can be leveraged by the criminals to send out spam or use proxy software without arousing suspicion.
There is a strong interest in accounting, tax reporting and point-of -sale (PoS) software which apparently
opens up many opportunities for fraudsters.
The business went underground after 2016, although the operations were still maintained
After massive media exposure in 2016, the site went underground and moved to Dark Web, also setting certain conditions that allowed registration. The xDedic administrators also used Bitcoin cryptocurrency to hide the locations of the servers, as well as identities behind buyers and sellers, to prevent being caught by the authorities.
Despite the efforts, the operation of the site came to a close at the beginning of 2019:
At the beginning of 2018, a Joint Investigative Team (JIT) agreement was signed between the Federal Prosecutor and the Investigating Judge of Belgium and the Prosecutor General of Ukraine, Europol and Eurojust. Europol organised operational meetings in its headquarters in The Hague and provided operational analysis, forensic support and on the spot support.
As of now, the law enforcement won a battle, but not a war, as there are thousands of such illegal services operating worldwide. While shutting down all of such sites is impossible, the heftier protection of servers run by various organizations should be ensured.