A 21-year-old Sydney man has been arrested and charged following a joint international cybercrime investigation by the Australian Federal Police (AFP) and Federal Bureau of Investigation (FBI) involving online subscription service credentials stolen from Australian customers, and others around the world.
The investigation began after the FBI referred information to the AFP in May 2018 about an account generator website called WickedGen.com.
WickedGen operated for approximately two years selling stolen account details for online subscription services, including Netflix, Spotify and Hulu. The account details were obtained through credential stuffing, which sees a list of previously stolen or leaked usernames, email addresses and corresponding passwords re-used and sold for unauthorised access. The accounts details were from unknowing victims in Australia and internationally, including the United States.
Yesterday (12 March 2019), the AFP executed a search warrant at Dee Why, on Sydney's northern beaches. Electronic materials and various amounts of cryptocurrencies were seized at the premises.
Prior to WickedGen's closure, the website advertised it had over 120,000 users and almost one million sets of account details. Police will allege the administrator of WickedGen made an estimated AUD $300,000 selling the stolen account subscriptions through this website, and other similar sites identified through the course of investigations.
AFP Manager Cyber Crime, Acting Commander Chris Goldsmid, said international relationships were integral to the resolution of this investigation.
"This arrest is another example of the value and importance of our relationship with the FBI. These partnerships – both internationally and domestically – are critical in law enforcement being able to respond to rapidly-evolving and increasingly global crime types."
"Individuals in Australia have had their personal data stolen for the sake of individual greed. These types of offences can often be a precursor to more insidious forms of data theft and manipulation, which can have greater consequences for the victims involved."
"We are working closely with the affected companies and thank them for their cooperation with investigations to date."
The 21-year-old man is scheduled to appear before Sydney Central Local Court today (Wednesday, 13 March). He was charged with offences relating to the alleged use of false identities and cybercrime:
- Unauthorised access to, or modification of, restricted data, contrary to section 478.1 of the Criminal Code 1995 (Cth), which carries a maximum penalty of two years imprisonment;
- Providing a circumvention service for a technological protection measure, contrary to section 132APE of the Copyright Act 1968 (Cth), which has a maximum penalty of five years imprisonment;
- Dealing in proceeds of crime etc. – money or property worth $100,000 or more, contrary to section 400.4 of the Criminal Code 1995 (Cth), which carries a maximum penalty of 20 years imprisonment;
- False or misleading information, contrary to section 136 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), which carries a maximum penalty of 10 years imprisonment; and
- Dealing in identification information, contrary to section 372.1 of the Criminal Code 1995 (Cth), which carries a maximum penalty of five years imprisonment.