Admin behind E-Root stolen creds souk extradited to US

A Moldovan who allegedly ran the compromised-credential marketplace E-Root has been extradited from the UK to America to stand trial.

Sandu Diaconu, 31, along with another individual whose name has been redacted from court documents, allegedly operated the illicit souk selling access to compromised servers worldwide between 2015 and 2020.

"The Marketplace existed primarily as a place for individuals to buy and sell RDP and SSH access (login credentials) to compromised servers, which was used to facilitate a wide range of illegal activity, such as ransomware attacks, fraudulent wire transfers, and tax fraud," the indictment says [PDF].

On E-Root, other criminals could search for compromised computer credentials including Remote Desktop Protocol (RDP) and Secure Socket Shell (SSH) access, or by price, geographic location, internet service provider, open ports, and operating system.

During the course of the investigation, the Feds uncovered more than 350,000 compromised credentials listed for sale on E-Root, according to the US Justice Department. The victims included individuals and companies in the US and worldwide, and included at least one local government agency in Tampa, Florida, as well as a local church and and a doctor.

Criminals used the online payment system Perfect Money to make purchases on the credential-selling marketplace. In addition to developing and E-Root, Diaconu, whose admin moniker was "WinD3str0y," also allegedly operated a sister website where buyers could convert Bitcoin into Perfect Money to try and hide their identities. 

The duo offered customer support and apparently maintained detailed records including buyers' usernames, registration dates, email addresses, purchases, Perfect Money balances, last login dates, and IP addresses, the court documents say.

• Europol knocks RagnarLocker offline in second major ransomware bust this year
• FBI-led Operation Duck Hunt shoots down Qakbot
• MGM Resorts attackers hit personal data jackpot, but house lost $100M
• Here's why cloud credentials are the hottest item on criminal marketplaces

A joint US-UK effort took down E-Root in late 2020, and British law enforcement arrested Diaconu in May 2021 when he attempted to leave the country. In September 2023, Westminster Magistrates' Court ordered Diaconu to be extradited to America to face charges, after he consented to travel to the US and face his Feds.

Diaconu, and the second unnamed E-Root admin, have been charged with conspiracy to commit access device and computer fraud, wire fraud conspiracy, money laundering conspiracy, access device fraud, and computer fraud. He faces a maximum of 20 years behind bars.

Diaconu made his initial appearance before a US judge on October 16, and remains in custody. He has not registered a plea to the charges yet.

The E-Root admin's arrest comes as law enforcement worldwide cracks down on online crime in general and ransomware operations in particular. 

Also this week, Europol, the FBI and other international agencies took down RagnarLocker ransomware group's leaksite. Not a massive deal, but very handy for victims looking to avoid publicity.

In August, a similar international effort dismantled Qakbot, aka QBot, a notorious botnet responsible for losses totaling hundreds of millions of dollars worldwide. And earlier this year, an FBI-led sting shut down Hive's ransomware network, seizing control of the notorious gang's servers and websites, and handing out decryption keys to more than 300 victims. ®