The Ukrainian Secret Service (SSU) announced today the arrest of a hacker known as Sanix, responsible for selling billions of hacked credentials on hacking forums and Telegram channels.
The SSU says it arrested Sanix in Ivano-Frankivsk, a city in western Ukraine. Authorities did not release the hacker’s name.
Sanix has a long history on underground hacking forums, where he was first spotted operating as far back as 2018.
The individual was what security experts would call a data broker. He collected data leaked from hacked companies and assembled the information in large lists of usernames and passwords.
Sanix would then resell the data to other threat actors on the cybercrime underground, such as spam groups, password crackers, account hijackers, and operators of brute-force botnets.
Sanix, who also operated under the nickname of Sanixer on Telegram, is the person responsible for initially assembling a series of user and password combos known as Collection #1, #2, #3, #4, #5, Antipublic, and others. These collections amounted to terabytes of data and billions of unique username-password combinations.
These collections had been sold in private for years. However, according to threat intelligence firm IntSights, some of these collections leaked online following a dispute with another data broker — Azatej, the person behind Infinity Black, a web portal for selling stolen accounts.
At the time, in January 2019, despite being just a mix of old hacked data, the Azatej/Sanix leaks garnered an absurd amount of media attention, and introduced the world to the concept of “combolists” — large collections of old data , now turned into a hacker’s commodity. Today, Collection #1 even has its own Wikipedia page.
Azatej, who first leaked Collection #1, and then the other collections, was arrested earlier this month in Poland as part of a Europol operation against the Infinity Black web service.
In a press release today, the SSU says it found copies of Collection #1 on Sanix’s computer, along with “at least seven similar databases of stolen and broken passwords.”
Besides the collections of usernames and passwords, Ukrainian officials said Sanix’s computer also stored information about PIN codes for bank cards, cryptocurrency wallets, PayPal account logins, and DDoS botnets.
SSU officers said they seized 2 TB of data, $3,000, and 190,000 Ukrainian hryvnias (~$7,000) from Sanix’s residence following a house search. Below is a video of Sanix’s arrest released today by Ukrainian authorities.