Investigation of xDedic cybercrime site reaches ‘culmination,’ US says

The U.S. Department of Justice said that it has charged nearly 20 individuals for their involvement in the xDedic cybercrime marketplace operation, with more than a dozen already sentenced to prison.

The department announced on Thursday that it had reached the “culmination of a transnational cybercrime investigation” against the darknet site. Since its takedown in 2019, international law enforcement officers have arrested administrators, sellers and buyers in the U.S., Moldova, Ukraine, the U.K. and Georgia.

The Ukrainian-language cybercrime forum was founded in 2014. It illicitly sold login credentials to servers located worldwide, along with personally identifiable information, including dates of birth and Social Security numbers of U.S. residents.

In the course of an international operation the largest site xDedic was blocked for the sale of confidential information at DarkNet. All the members, who provided activities of this hacker group, were detained.https://t.co/dDzY617LQw#xDedic #darknet #cyberpoliceUkraine #europol pic.twitter.com/59PUKSz1u6

— Cyberpolice Ukraine (@CyberpoliceUA) January 28, 2019

Once purchased, criminals used those servers for a wide range of illegal activities, including tax fraud and ransomware attacks, according to the Justice Department.

To conceal their locations and identities, the xDedic administrators operated the website across a widely distributed international network and used cryptocurrency for payment.

In total, the marketplace offered more than 700,000 compromised servers for sale, including at least 150,000 in the U.S.

Victims included government agencies, hospitals, emergency services, call centers, accounting and law firms, pension funds and universities.

The major players

In the years that followed the takedown of the xDedic, the U.S. investigated, charged and convicted individuals involved in every level of the website’s operation. To date, 14 people have been sentenced, and five cases are still pending, including those of Bamidele Omotosho from Nigeria; Olayemi Adafin, Olakunle Oyebanjo and Akinola Taylor from the U.K.; and Oluwarotimi Ogunlana from the U.S.

Some of the prominent cases include:

Administrators. Alexandru Habasescu, who resided in Moldova, was the lead developer and technical mastermind for the marketplace. He was taken into custody in Spain in 2022 and extradited to the U.S.

Pavlo Kharmanskyi, who lived in Ukraine, advertised the website, paid administrators, and provided customer support to buyers. He was arrested at the Miami International Airport in 2019 as he attempted to enter the U.S.

They were sentenced to 41 and 30 months in prison, respectively.

Sellers. Dariy Pankov, a Russian national, was one of the highest sellers on the marketplace by volume, listing for sale the credentials of more than 35,000 compromised servers located all over the world and obtaining more than $350,000 in illicit proceeds, according to DOJ.

He developed a powerful malicious software program NLBrute that was capable of compromising protected computers by decrypting login credentials. Pankov was taken into custody in Georgia in 2022 and extradited to the U.S. He was sentenced to 60 months in federal prison.

Buyers. Allen Levinson, a Nigerian national, was particularly interested in purchasing access to U.S.-based certified public accounting (CPA) firms. He used the information he obtained from those servers to file hundreds of false tax returns with the U.S. government, requesting more than $60 million in fraudulent tax refunds.

Levinson was taken into custody in the U.K., in 2020 and extradited to the U.S. He was subsequently sentenced to 78 months in federal prison.