Leakbase Shutdown Might be Connected to Hansa Bust
The Dutch National Policeâs infiltration and takedown of the Hansa marketplace may be linked to the recent shutdown of Leakbase, a shop that sold usernames and passwords from hundreds of data breaches. Leakebase, in early December, unexpectedly redirected visitors to haveibeenpwned.com.
Leakbase users reported connectivity issues several times this year. Hackers, at one point, even leaked the usernames and passwords of Leakbase members. However, according to Krebs, the siteâs users reported that they had difficulties contacting the siteâs support staff roughly two weeks ago. Given various issues in the past, this customer support issue may have been overlooked as another one of the siteâs issues.
During the first weekend in December, anyone who attempted to access the site found themselves at Troy Huntâs haveibeenpwned.com, a legitimate breach reporting service. (Nearly everyone in the infosec sector doubted the legitimacy of Leakbase as a resource for researchers. Although the service simply indexed and sold billions of passwords from databases already available for free, the siteâs owners undoubtedly knew they had created a market designed for criminal activity.)
Only few people know why the site shut down. The Twitter account run by the owners of password marketplace wrote, in a recent Tweet, âthis project has been discontinued, thank you for your support over the past year and a half.â Several reporters wrote stories covering the siteâs mysterious shutdown, but only Krebs had insider information on what could have really happened.
According to the security researcherâs source who asked to remain anonymous, the site changed hands in April and the new owners not only sold access to accounts and passwords, but also dealt drugs on the former Hansa darknet marketplace. Dutch police shut Hansa down in July, but had controlled the site for roughly one month before replacing the marketâs homepage with a seizure banner. They kept the site running to collect data on some of the siteâs many users.
The anonymous source explained that the new Leakbase owners also happened to âdabbledâ in narcotic distribution as a vendor on Hansa. And that the recent Leakbase takedown had ties to âOperation Bayonet,â the globally coordinated action taken against Hansa and Alphabay markets. This accusation led to a response from the Leakbase Twitter account admins who wrote that â…none of the LeakBase operators have any connections to Hansa.â The account owner added, âthe fact that this can be portrayed as near fact is astonishing as it is only a claim.â
Site owners (or the Dutch National Police) also Tweeted:
We understand many of you may have lost some time, so in an effort to offer compensation please email, firstname.lastname@example.org
Send your LeakBase username and how much time you had left. We will have a high influx of emails so be patient, this could take a while.
Although the Hansa connection is only a claim from an anonymous source, Krebs is infrequently incorrect.