The home of suspected forum admin has been raided

Mar 5, 2009 09:00 GMT  ·  By

Agents from the Internet Crime Unit of the German Landeskriminalamt Baden-Württemberg (LKA) have put an end to a hacking underground market operation. A forum that was used by cyber-criminals to exchange information-stealing tools and tips on cloning credit cards has been shut down.

In a press release (PDF – German), the LKA announces that the forum hosted at www.codesoft.cc was used by hackers for a wide-range of Internet crimes, including the development of spyware, the exchange of information facilitating identity theft, and even the selling of stolen financial data.

With the help of local authorities, the LKA investigators have searched the apartment of a 22-year-old Swiss national from the Canton of Lucerne, who is suspected to have run the message board under the nickname of "tr1p0d." He is also the alleged developer of the Codesoft PW Stealer 0.5 application, which was advertised and sold through the website.

During the raid, the announcement says, two computers with a storage capacity of several terabytes have been confiscated. Amongst other illegal data, they have contained backups of the forum's user database, complete with login IP addresses.

The start point of the whole investigation was an incident in which data stolen with the PW Stealer application was found hosted on the servers of a German ISP. The analysis of the server's access logs led to two suspects, aged 25 and 28, from Ortenaukrei and Lower Saxony, respectively. They are also suspected of having infected around 80,000 computers worldwide with the password-stealing application since Septemeber 2008.

The data stored on the "dropzone" server contained the usernames and passwords of each infected PC, as well as details of Internet banking accounts, auction websites, or online payment services. This information was being sold for important sums of money on the codesoft.cc forum, the investigators say. The full extent of the damage has not yet been determined, but the evidence is still being analyzed and could lead to the arrest of more suspects.

We previously reported about an FBI sting operation, which led to international arrests of hackers frequenting a similar message board called DarkMarket. The carding forum had been under the control of undercover agents for over an year until it was eventually shut down, a period during which evidence was gathered. Regarding the developments in Germany, Graham Cluley, senior technology consultant for antivirus Sophos, has commented that "Whether this investigation will act as a wake-up call to other Internet forums that are playing with fire remains to be seen."