Pierluigi Paganini December 13, 2024

The U.S. Department of Justice (DoJ) announced the seizure of the cybercrime marketplace Rydox (“rydox.ru” and “rydox[.]cc”).

The U.S. Department of Justice (DoJ) seized Rydox, a cybercrime marketplace for selling stolen personal data and fraud tools.

Kosovars authorities arrested three Kosovo nationals and administrators of the service, Ardit Kutleshi, Jetmir Kutleshi, and Shpend Sokoli. Kosovo nationals Ardit and Jetmir Kutleshi, Rydox administrators, were arrested in Kosovo and await extradition to the U.S. The third administrator, Sokoli, was arrested in Albania by SPAK and is set to face charges and prosecution in Albania.

The Rydox marketplace has been active since February 2016, it facilitated over 7,600 sales of stolen PII, access devices, and cybercrime tools, generating $230,000 since 2016. It offered over 321,000 products to 18,000 users, including names, social security numbers, and hacking tools. Thousands of U.S. victims were affected.

“The Rydox marketplace was a one-stop shop where upwards of 18,000 of its cybercriminal customers could choose from more than 300,000 cybercrime tools,” said U.S. Attorney Eric G. Olshan for the Western District of Pennsylvania. “While cybercrime often involves conduct occurring overseas and the actions of foreign nationals, its harms can be devastatingly local, with residents in our own communities suffering financial ruin as a result of the theft and misuse of their sensitive personal information. Today’s takedown reinforces our steadfast message that the Western District of Pennsylvania and our domestic and international law enforcement partners will use every available tool to hold accountable those who pursue illicit profit at the expense of ordinary citizens around the world.”

The U.S. authorities seized the Rydox domain, a coordinated operation by the FBI and Royal Malaysian Police seized servers in Kuala Lumpur, Malaysia, that hosted the illicit marketplace. 

The US authorities also seized $225,000 in cryptocurrency.

Ardit Kutleshi and Jetmir Kutleshi face multiple charges, including identity theft, conspiracy to commit identity theft, aggravated identity theft, access device fraud, and money laundering.

If convicted, each could face a maximum of 20 years in prison for money laundering, 10 years for access device fraud, and 5 years for each identity theft charge. Additionally, there is a mandatory minimum sentence of 2 years for aggravated identity theft, which must be served consecutively to other sentences.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)