Justice Department shuts down massive cybercrime ring

US attorneys charge 36 people who allegedly maintained one of the largest online criminal organizations ever.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

The takedown on Infraud was called "Operation Shadow Web."

Department of Justice

The US Justice Department said it's taken down a cybercrime behemoth, which had sold millions of people's stolen information before it closed.

The agency announced on Wednesday that it's charged 36 individuals who allegedly ran Infraud, a massive forum with more than 10,900 members globally. The group would obtain and sell stolen data, including credit card numbers, personal information like banking and financial data, and malware and stolen identities.

The Justice Department estimates that Infraud was responsible for more than $530 million in actual losses since it went online in October 2007. Scammers on the forum came from countries including Ukraine, Pakistan, France, the UK, Serbia and Russia.  

Enlarge Image

This chart of the 36 Infraud members who allegedly ran the massive cybercrime network gives you a sense of its size. For a clearer list of suspect names, click on the indictment (PDF) in the story. 

Department of Justice

Among the 36 people charged, five are from the US and have been arrested, Deputy Assistant Attorney General David Rybicki said. Eight from other countries have been arrested and are awaiting extradition, while 18 other charged suspects are not in custody. The remaining five suspects are still at large, Cronan said.

Stolen data is often traded online, with cybercriminals willing to pay top dollar for credit card numbers or tax information they can use for scams. Data breaches happen often, with companies like Equifax, Chipotle and Whole Foods getting hit in 2017. The stolen data usually ends up being sold on the dark web. Prosecutors said that Infraud was one of the largest markets for stolen data that they had seen.

"It's really a standout in terms of the amount of damage that it caused," Rybicki said. He said the group had sold up to 4 million stolen credit card numbers before it was shut down.

The Justice Department declined to comment on whether information from Equifax's breach was sold on Infraud. The criminal group had stolen from so many different sources that it's difficult to pinpoint data from any known breaches, Rybicki said.

In the indictment (PDF), prosecutors said members on the forum were selling stolen PayPal accounts from 2011 to 2014, with up to 1,300 victims. Up to 795,000 HSBC Bank accounts were also sold on Infraud.

A PayPal spokesman said the company is pleased "with the disruption of this scheme," but remains "steadfast" in its efforts to protect customers. "PayPal works closely with law enforcement, including in this matter, and responds quickly to lawful requests to support agencies in their investigations," he said.

Dayle Elieson, the US attorney for the district of Nevada, where the indictment was filed, estimated there were 9,000 potential victims in the state alone.

The five arrested American citizens were in court on Tuesday and face more than 30 years in prison if convicted.

"Today's indictment and arrests mark one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice," Assistant Attorney General John Cronan said. 

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Special Reports: CNET's in-depth features in one place.