The evidence that cybercrime has gone global was doubly reinforced this week with news of two independent takedowns of criminals behind the 16shop and Lolek Hosting operations, both used as sources of automated tools for various malware attacks.

With increasing levels of criminality, takedowns have become more popular, such as the one that removed the Hive ransomware group from operations earlier this year.

The 16shop takedown happened on Tuesday and arrested three individuals: two in Indonesia and one in Japan. One of the trio was a 21-year-old who was arrested last year. The group sold hacking tools to more than 70,000 users across more than 40 countries since November 2017. These tools included phishing kits and crafting specialty domains used by phishers.

Singaporean security consultants Group-IB was involved in locating the criminals and wrote this report about their operations Tuesday. Various national police agencies worked with security researchers, and were assisted with staff from Palo Alto Networks Inc.’s Unit 42 group and Trend Micro Inc., according to Interpol’s release. The 16shop’s servers were based in the U.S.

“In recent years, we have seen an unprecedented increase in both the number of cyber threats and their sophistication, with attacks becoming more tailored as criminals aim for maximum impact, and maximum profit,” said Interpol Assistant Director Bernado Pillot.

The kits were sold ranging from $60 for Amazon-based attacks to $150 for American Express-based attacks. They were used to set up fake web pages in eight different languages that appear to be from these e-commerce merchants. Given these price points, it doesn’t take much skill or money to assemble a complete phishing attack site.

This case illustrates just how global the criminals have become and the resulting multinational efforts to bring them to justice. Both cases also involved private-public cooperation in identifying who were behind these gangs and where their servers were located, since they can’t be neutralized them unless they can be found. “This is a great example of cross-border collaboration and swift threat intelligence sharing – the only way forward to reduce the global impact of cybercrime,” said Group-IB Chief Executive Dmitry Volkov.

The second takedown also happened this week, coordinated by the IRS, the FBI and two Polish authorities against a so-called bulletproof hosting provider Lolek.

The term is used to describe various dodgy services, such as setting up accounts for anonymous customers to distribute malware, recruit botnet nodes and in general produce cybercrime activities. They are extremely difficult to locate, and then to prosecute, because they typically spread their operations around the world. This requires a larger-scale coordinated effort, such as what happened this week, among various law enforcement entities.

This provider was widely used to distribute a variety of hacking tools and host phishing sites. Its home page was changed to show that it is now out of business, thanks to the police. The Polish agencies contributing to the effort were a regional prosecutor in Katowice and the Krakow Central Bureau for Combating Cybercrime.

The news was first reported by The Record Wednesday. Lolek is based in the U.K., but its servers are in Europe and presumably in Poland. It has been in operation since 2009. On Friday, the Department of Justice released details about the indictment against Artur Grabowski, a Polish national, who was charged with various fraud counts as the owner of the company. The case is being prosecuted in Tampa. If he is convicted on all counts, he faxed a maximum time behind bars of 45 years, and a potential forfeit of $21.5 million.

The case is similar to another takedown that happened in June and others that were prosecuted earlier, focusing on bulletproof operators. One of the more infamous cases was the takedown of CyberBunker in 2019. It served as one of the providers for The Pirate Bay and had its servers in two former NATO bunkers, hence its name.

Many of these criminals received multiple-year sentences by various U.S.-based courts, an indication of the seriousness – and longevity – of their efforts. Some of these providers have operated for a decade or more, which also illustrates how hard it is to take them down.

Image: Pixabay