Cyber Incident Victim: WeLeakInfo
Date:
Mar 2021
Location:
United States of America
Summary
A hacker leaked sensitive data of approximately 24,000 customers from a defunct illicit data brokerage service previously shut down by law enforcement, exposing full names, IP and physical addresses, payment details, and transaction records. The attacker claimed to have exploited an unseized domain linked to the service's payment processor, potentially enabling blackmail, targeted attacks, or legal repercussions for affected users. The incident underscores risks associated with operational security lapses in domain management following law enforcement actions against cybercrime platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The WeLeakInfo incident originated with the operation of an illicit data brokerage service that sold access to stolen credentials from over 10,000 data breaches, aggregating more than 12 billion records including names, email addresses, usernames, and passwords. This service operated until January 2020, when it was shut down by the FBI following a coordinated law enforcement action targeting its infrastructure. On February 21, 2023, a user on a hacker forum advertised a database containing sensitive personal information of approximately 24,000 former WeLeakInfo customers, offering it for sale at a nominal price equivalent to $2 in virtual currency. The attacker claimed to have acquired the data through a Stripe account linked to WeLeakInfo's operators, suggesting the FBI may have overlooked this domain during their 2020 seizure. The expired domain, which lapsed in March 2021, reportedly provided access to payment processing records that law enforcement had not secured during the initial takedown operation.
The leaked customer database contained comprehensive transactional and identifying information from purchases made via Stripe, including full names, partial credit card details, transaction timestamps, payment amounts in multiple currencies, email addresses, IP addresses, user agent strings, physical street addresses, and phone numbers. This exposure created significant risks for affected individuals, as the combination of real identities with evidence of participation in illegal data purchases enabled potential blackmail, targeted social engineering attacks, and identification by law enforcement agencies. The incident highlighted operational security failures among illicit service users who had utilized genuine personal and financial information for transactions, while also demonstrating broader cybersecurity vulnerabilities related to domain management practices. Organizations faced renewed scrutiny regarding domain lifecycle management, particularly the risks associated with expired domains retaining access to sensitive backend systems or financial accounts. The data's availability on criminal forums represented both a reputational threat to exposed individuals and a potential resource for hostile actors seeking to compromise high-value targets through historical transaction patterns.