Investigation of xDedic cybercrime site reaches ‘culmination,’ US says


The U.S. Department of Justice said that it has charged nearly 20 individuals for their involvement in the xDedic cybercrime marketplace operation, with more than a dozen already sentenced to prison.

The department announced on Thursday that it had reached the “culmination of a transnational cybercrime investigation” against the darknet site. Since its takedown in 2019, international law enforcement officers have arrested administrators, sellers and buyers in the U.S., Moldova, Ukraine, the U.K. and Georgia.

The Ukrainian-language cybercrime forum was founded in 2014. It illicitly sold login credentials to servers located worldwide, along with personally identifiable information, including dates of birth and Social Security numbers of U.S. residents.

Once purchased, criminals used those servers for a wide range of illegal activities, including tax fraud and ransomware attacks, according to the Justice Department.

To conceal their locations and identities, the xDedic administrators operated the website across a widely distributed international network and used cryptocurrency for payment.

In total, the marketplace offered more than 700,000 compromised servers for sale, including at least 150,000 in the U.S.

Victims included government agencies, hospitals, emergency services, call centers, accounting and law firms, pension funds and universities.

The major players

In the years that followed the takedown of the xDedic, the U.S. investigated, charged and convicted individuals involved in every level of the website’s operation. To date, 14 people have been sentenced, and five cases are still pending, including those of Bamidele Omotosho from Nigeria; Olayemi Adafin, Olakunle Oyebanjo and Akinola Taylor from the U.K.; and Oluwarotimi Ogunlana from the U.S.

Some of the prominent cases include:

Administrators. Alexandru Habasescu, who resided in Moldova, was the lead developer and technical mastermind for the marketplace. He was taken into custody in Spain in 2022 and extradited to the U.S.

Pavlo Kharmanskyi, who lived in Ukraine, advertised the website, paid administrators, and provided customer support to buyers. He was arrested at the Miami International Airport in 2019 as he attempted to enter the U.S.

They were sentenced to 41 and 30 months in prison, respectively.

Sellers. Dariy Pankov, a Russian national, was one of the highest sellers on the marketplace by volume, listing for sale the credentials of more than 35,000 compromised servers located all over the world and obtaining more than $350,000 in illicit proceeds, according to DOJ.

He developed a powerful malicious software program NLBrute that was capable of compromising protected computers by decrypting login credentials. Pankov was taken into custody in Georgia in 2022 and extradited to the U.S. He was sentenced to 60 months in federal prison.

Buyers. Allen Levinson, a Nigerian national, was particularly interested in purchasing access to U.S.-based certified public accounting (CPA) firms. He used the information he obtained from those servers to file hundreds of false tax returns with the U.S. government, requesting more than $60 million in fraudulent tax refunds.

Levinson was taken into custody in the U.K., in 2020 and extradited to the U.S. He was subsequently sentenced to 78 months in federal prison.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Merck settles with insurers who denied $700 million NotPetya claim

Next Post

Wiper malware found in analysis of Iran-linked attacks on Albanian institutions

Related Posts