Four Ukrainians Who Ran xDedic Arrested and the Site Taken Down
An international multiagency operation resulted in the takedown of xDedic, a darknet store dedicated to the sale and purchase of access to hacked servers from all over the world. The takedown was marked by the arrest of four Ukrainians believed to be the administrators of the online store and the seizure of xDedic’s domain and servers in Belgium and Ukraine.
The xDedic marketplace began its operations in 2014 and accepted users through open registration. Once registered, users gained the right to buy and sell access to hacked servers as Remote Desktop Protocols (RDP) accounts. By 2016, the site had listings of over 70,000 hacked servers with some selling for as low as $8. The listings continued to increase, and prices decreased as more people became aware of the site. Reports indicate that the listings rose to over 85,000 in 2017, and the lowest price dropped to $6.
Too much exposure to the outside world prompted the administrators of the site to place restrictions on the registration process limiting it to those with recommendations from registered users. The administrators also concentrated its activities on the dark web as a way of evading law enforcement. Sales on the site were made using bitcoin as a way of increasing anonymity and limiting discovery by law enforcement.
The takedown operation was coordinated by law enforcement in Belgium, Ukraine, and Europol with the assistance of law agencies in the US and Germany. Before the formation of the joint operation, the law enforcement agencies involved in the operation had all individually made attempts to take down the site in vain.
In 2016, Belgian authorities through the Federal Prosecutors office, initiated investigations against the site. The Belgian authorities managed to acquire digital copies of xDedic servers after using ‘special investigative techniques’ to view the site’s infrastructure. The digital copies of the server were used in a criminal investigation against xDedic in 2017 by Belgian authorities with the support of Ukrainian authorities.
In early 2018, Belgium, Ukraine, Europol, and Eurojust signed a joint investigation team agreement. The agreement resulted in Belgian and Ukrainian law enforcement agencies partnering with Europol and Eurojust in investigations against the administrators of the site and sellers who sold access to Belgian hacked computer systems.
As the joint operation continued, US law enforcement agencies led by the Department of Justice U.S. Attorney’s Office Middle District Florida were also carrying investigations against the administrators of xDedic. As the inquiry continued, Belgian and US investigators worked together towards the same goal of uncovering the identity of xDedic’s administrators.
In support of the joint investigation, Eurojust coordinated two meetings between Belgium, the US, Ukraine, and Europol in the course 2018. The meetings were used in the issuance and execution of European investigative orders and in dealing with hardships that arose from judicial orders.
One such investigative order led to the analysis of xDedic’s servers’ contents by Belgian Federal Prosecutor’s office with support from Europol and Ukraine’s cyber police. The analysis led to the identification of the site’s administrators, all of whom were based in Ukraine. The discovery resulted in searches of nine locations in Ukraine.
Searches on the 24th of January were carried out by agents from Ukraine’s National Police and Prosecutor General’s Office, Belgium’s Federal Computer Crime Unit (FCCU), Europol, the FBI, and the IRS. The searches resulted in the seizure of computer systems and the questioning of three suspects. Domain names for the site and servers were seized on the same day with the help of the German Bunderskrinalamt.
The investigations led to some discoveries by the investigating agencies. According to a statement by Ukraine’s cyber police, the site was used to sell over 70,000 remote access logins to servers from over 170 countries. It was also disclosed that xDedic sold access to compromised computer networks from all fields of interest to cybercriminals including and not limited to, hospitals, universities, local, state, and federal governments, accounting and law firms, and transit authorities for major cities. Authorities believe that the evidence gathered throughout the investigation showed that the site enabled fraud of over $68 million.
After the takedown, investigations on the case were continued in Belgium, Ukraine and the US in a bid to gather more evidence to facilitate the prosecution of arrested suspects; the continued investigations are expected to lead to more arrests.