Security Experts:

Connect with us

Hi, what are you looking for?



Authorities Seize Online Marketplace for Stolen Credentials

Law enforcement authorities have seized the domains of an online marketplace for stolen login credentials and other personally identifying information (PII).

Law enforcement authorities have seized the domains of an online marketplace for stolen login credentials and other personally identifying information (PII).

On Tuesday, Portuguese authorities seized a website selling over 5.85 million records of PII, while law enforcement agencies in the US seized four domains associated with the online shop, namely ‘’, ‘’,’, and ‘’.

A federal complaint unsealed on Tuesday charges Nicolai Colesnicov, 36, of the Republic of Moldova, with operating wt1shop to facilitate the selling of stolen credentials and PII.

On the online market, vendors were offering roughly 25,000 scanned driver’s licenses/passports, 1.7 million stolen login credentials for online retailers, the details of 108,000 bank accounts, and roughly 21,800 credit cards.

According to the affidavit accompanying the federal complaint, visitors of the illegal marketplace could purchase the stolen data using Bitcoin. The online market also had a forum that users could access.

An image of the wt1shop database obtained in June 2020 by Dutch law enforcement officials showed that the marketplace had roughly 60,823 registered users, 91 of which were sellers and two were administrators.

The affidavit alleges that, as of June 2020, roughly 2.4 million credentials had been sold on wt1shop, for total proceeds of $4 million.

The sold credentials were for online retailers, financial institutions, PayPal accounts, and email accounts. Other credentials were for remote access to computers, servers, and other devices.

In December 2021, the website had over 106,000 users and 94 sellers and offered a total of roughly 5.85 million credentials for sale.

Authorities have traced to Colesnicov Bitcoin sales made on the illegal marketplace, payments made to wt1shop’s webhost, email addresses related to the shop, and associated login information, and have determined that Colesnicov was the operator of wt1shop.

Colesnicov has been charged with conspiracy and trafficking in unauthorized access devices and faces up to 10 years in federal prison.

Related: Russian Operator of Cybercrime Marketplace Indicted in US

Related: Moderator of AlphaBay Dark Web Marketplace Gets 11 Years in Prison

Related: German Police Take Down ‘World’s Largest Darknet Marketplace’

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...