28-year-old Ukrainian national Glib Oleksandr Ivanov-Tolpintsev has been indicted by the Department of Justice for allegedly using a botnet to brute force people’s passwords, and then selling the credentials on a dark web store ominously called The Marketplace. According to the DOJ, Ivanov-Tolpintsev bragged that he was able to get at least 2,000 logins a week, and he allegedly told one of The Marketplace’s admins that he had cracked over 20,000 passwords. The DOJ’s description of the alleged methods and victims serve as a reminder of how much stolen information is out there, and the importance of implementing basic security principles.
The indictment, which can be read in full below, alleges that Ivanov-Tolpintsev talked about controlling a botnet, which is essentially a group of computers whose users don’t know they are infected with malware. He’s accused of using those computers’ power to guess people’s passwords over and over, far faster than he could with his own hardware. Then, according to the DOJ, he would sell those passwords to cybercriminals who used them to carry out fraudulent activity, such as ransomware attacks, or even accessing someone’s home security cameras.
Some of the alleged victims are perhaps a bit surprising. The criminal complaint lists two victims who were interviewed; one ran an IT business, the other was a security systems consultant who did work for the Department of Corrections. While the two victim’s systems are only a small portion of the over 6,000 compromised logins Ivanov-Tolpintsev is accused of putting up for sale, his alleged contributions are in turn just a drop in the bucket for The Marketplace. According to the complaint, vendors on the site are selling access to over 700,000 machines, and past buyers have used info purchased on The Marketplace to carry out over $100 million of fraud.
According to a report by CyberScoop, simple mistakes made it easier for investigators to accuse Ivanov-Tolpintsev. The IRS was granted access to email addresses with a warrant, and was able to link the alleged hacker to them using receipts from local vape and smoke shops, scans of his passport, and pictures on Google Photos. The emails also allegedly linked him to other accounts and identities that were related to The Marketplace, where the passwords were sold.
The DOJ says that if Ivanov-Tolpintsev is found guilty he could face up to 17 years in prison, and would have to hand over more than $80,000 that he allegedly made from selling information. He was originally caught by Polish authorities in late 2020, and was extradited to the US.
The story serves as a reminder of why good security practices are important. Things like using strong passwords and two-factor authentication can help better protect you against brute-force attacks, and occasionally scanning your computer for malware can keep your computer from inadvertently working to crack other people’s passwords. While authorities may be able to catch some cybercriminals, the vastness of The Marketplace (itself just a single site), shows that there’s plenty of people out there trying to get their hands on unprotected data.