Ukrainian sentenced to 4 years for selling hacked passwords

A Ukrainian man was sentenced Thursday to four years in federal prison and ordered to pay back illegally obtained profits made by selling decrypted usernames and passwords online. 

Glib Oleksandr Ivanov-Tolpintsev, a 28-year-old from Chernivtsi in southwest Ukraine, pleaded guilty in February to using a botnet to rapidly decrypt user credentials, according to the Justice Department, and then sell them on the dark web. His case attracted media attention last year when details emerged that sloppy mistakes, including receipts from local vape shops, passport scans, and pictures on Google Photos, allowed authorities to link him to the sold credentials.

Prior to his indictment, Ivanov-Tolpintsev claimed his botnet was able to decrypt the logins of nearly 2,000 computers every week. The Tampa Division of the FBI and the IRS found thousands of credentials listed for sale by Ivanov-Tolpintsev between 2017 and 2019, including more than 100 in the Middle District of Florida, where he was sentenced. 

The “Marketplace” website he used listed over 700,000 compromised servers for sale, 150,000 of them being from the U.S., which were advertised to criminals looking to conduct ransomware attacks and tax fraud. The victims of the scheme are global and range from government officials, healthcare systems, emergency operators, public transit employees, universities, and law firms, according to the DoJ’s press release. 

Ivanov-Tolpintsev was initially taken into custody in Korczowa, Poland in October 2020, and later extradited to the U.S. He faced a maximum penalty of 17 years in prison.