A Hacker Known as 'Sanix' Has Been Pinned for 773 Million Stolen Usernames and Passwords

Sanix Arrested

Clearly, some cybercriminals think that hiding behind a nickname is enough to fool law enforcement and evade justice. As a person known as 'Sanix' can tell you, however, this strategy doesn't always work.

Yesterday, the Security Service of Ukraine (SBU) announced that a young man living in the Ivano-Frankivsk region in the east European country was hiding behind the Sanix moniker. After detaining him, the SBU searched through Sanix's home and found plenty of incriminating evidence. It's still way too early to say how things will unfold, but it looks like the young hacker is in a world of trouble. Let's see how he got himself in that situation.

Sanix and the Collection #1 database

Sanix rose to infamy in early 2019, when he went on one of the underground forums and announced that he is selling what was described at the time as a "megabreach." The database he was trying to shift was called Collection #1, and it did look pretty scary.

With as many as 2.7 billion rows, it was the biggest data dump Troy Hunt, the creator of HaveIBeenPwned, had ever seen, and it inevitably caught the attention of mainstream media. A closer examination, however, revealed that the data dump wasn't as bad as it appeared at first.

First, Troy Hunt found a lot of duplicates and junk inside the Collection #1 database, and after clearing it, he ended up with 773 million unique email addresses, and about 21 million exposed passwords. It wasn't exactly small, but compared to the initial estimations, it looked a lot less horrifying. Later, Brian Krebs revealed the origin of the data, and it became clear what Sanix was actually trying to sell.

The data in the Collection #1 database was aggregated from numerous old breaches

Sanix didn't steal any of the usernames and passwords in the Collection #1 database. Instead, the data had been leaked during a number of different breaches and was simply organized in one massive database. Brian Krebs' investigation couldn't identify the exact sources of the credentials, but he was fairly confident that the compromised information was quite old. In other words, Sanix was trying to shift credentials that were likely invalid.

Brian Krebs wasn't the only one revealing the hacker's trade practices. According to Recorded Future, Sanix didn't even create the Collection #1 database. Apparently, the person responsible for putting all that data together is known as C0rpz. C0rpz sold it to Sanix, who then tried to resell it. For that, Sanix was banned from the underground forum, and C0rpz decided to share the data for free.

Sanix played a role in quite a few cybercriminal operations

Collection #1 was far from the only database Sanix was trying to sell. SBU agents apparently discovered evidence suggesting that the hacker was a pretty active trader of compromised data. On his computer, they found almost a terabyte of stolen information, including email and PayPal login credentials, cryptocurrency wallets, PIN numbers, bank cards, and information that could let hackers launch DDoS attacks. Sanix had several sources of income, and perhaps not surprisingly, law enforcement officers also found about $10 thousand in cash in his home.

Hopefully, Sanix will get what he deserves, and he will try to stay on the right side of the law in the future. Unfortunately, Ukraine's SBU managed to catch a relatively small fish that hasn't really done that much damage. The bigger cybercriminals are usually much more careful, and sadly, grabbing hold of them is a much taller order.

May 20, 2020

Leave a Reply