This week in Ivano-Frankivsk, the security service of Ukraine delayed a hackerknown under the pseudonym Sanix (the real name of the detainee is not disclosed). According to law enforcement authorities, at the beginning of 2019, The Guardian, Forbes and Newsweek wrote about this person, and the Italia 1 channel dedicated the story to him, because Sanix put up a huge database for sale: 773 million email addresses and 21 million unique passwords.
We are talking about the sensational data collection in 2019, known as “Collection # 1” (“Collection No. 1”). The 87 GB dump contained more than 12,000 separate files in which 2,692,818,238 separate records could be found. This collection includes 772 904 991 unique email addresses and 21 222 975 unique passwords.
Although the media then hastened to dub this dump “the largest collection of leaks of all time,” in fact the publication of the dump could hardly be called an out-of-the-box event. The fact is that for the most part “Collection No. 1” was a “collection” of old data leaks, and there was not so much new information in this collection.
Thus, Troy Hunt, an information security specialist and creator of the Have I Been Pwned (HIBP) leak aggregator, found that only 141 million (about 18%) email addresses from this collection did not appear on HIBP before and were not part of other known gaps. Half of the 21 million unique passwords have also been listed as “leaked” for a long time.
Let me remind you that in addition to the “Collection No. 1” at the beginning of 2019, several more parts of the same “collection” were also uploaded to the network. In total, the collection totaled about 3.5 billion records, that is, data combinations email address and password, username and password, phone number and password, and so on.
Back then, in 2019, the famous IB journalist Brian Krebs (Brian Krebs) wrote that he was able to figure out at least two dump distributors: these were the hackers Sanixer (aka Sanix) and Clorox. In early January 2019, the latter posted part of the collection on Raid Forums. At the same time, Krebs and experts at Recorded Future noted that it was unlikely that any of these hackers had anything to do with the original data leaks that made up the gigantic collection.
In fact, Sanix was just a data broker: it collected information that "leaked" from various sources and aggregated this data into huge summary lists of usernames and passwords. He then distributed these collections to other attackers, including spammers, password crackers, botnet operators, and so on.
As already mentioned above, these “collections” were distributed among attackers privately for several years. According to IntSights, some of the collections leaked to the open Internet when a conflict arose between several data brokers, one of whose sides was Azatej, the man behind the Infinity Black website selling stolen credentials.
It was Azatej who was one of the first who poured the “Collection No. 1” into the public domain, which attracted the attention of the media and generated a lot of high-profile headlines, although the dumps, in fact, were a usual mixture of old stolen data. It is worth noting that Azatej was arrested in Poland earlier this month, as part of a Europol operation aimed at closing down Infinity Black.
But back to the arrest of Sanix. The SBU press release said that during a search on the detainee’s computer they found “at least seven (databases), the total amount of which reached almost a terabyte”. These collections contained personal and financial data of residents of the EU and North America.
Also found: databases with usernames and passwords from email accounts, PIN codes for bank cards, as well as credentials for cryptocurrency wallets, PayPal accounts and botnets used for DDoS attacks. In total, about 2 TB of data, 3,000 dollars and 190,000 Ukrainian hryvnias were seized from Sanix during the search.