Two 22-year-old men were arrested in the Netherlands and Northern Ireland for allegedly operating a website that claimed to offer access to a database of some 12 billion hacked user records, including usernames and passwords.
The US federal government confiscated the website’s domain, WeLeakInfo.com, and the US Justice Department put out a call for more information on the site and its operators.
But it offered the data from those breaches to any paying customer, effectively making it a hacking tool in itself, authorities said.
WeLeakInfo offered unlimited access to its database for as little as $2 (£1.50) per day and even claimed to offer an application interface for performing bulk checks for breaches of company accounts.
The data included names, email addresses, usernames, phone numbers and passwords for online accounts, the Justice Department said.
Police arrested a man in Arnheim, the Netherlands, and another in Northern Ireland, police said. Two addresses in Arnheim were searched.
“The suspect is involved in possessing and offering stolen usernames and passwords and has a facilitating role when it comes to cybercrime,” Dutch police said, according to a local report.
They said they could not provide more specific details as the investigation is ongoing.
The investigation was carried out jointly by Dutch police, the UK’s National Crime Agency, the FBI, and Germany’s Bundeskriminalamt.
US authorities previously took down a similar site called LeakedSource in 2017.
After confiscating WeLeakInfo.com, the US Department of Justice initially posted a takedown notice, leading some observers to believe the site had been hacked.
“It looks like they got hacked, and someone threw up an FBI seizure page,” one user wrote on Twitter last Thursday, adding the notice “doesn’t look legit”.
The DOJ issued its statement on the seizure later that day.