The notorious phishing-as-a-service platform, “16Shop,” which has been in operation since 2017, has been shut down by INTERPOL. The platform, known for its user-friendly interface that allowed even novices to conduct sophisticated phishing scams, was a major player in the world of cybercrime.
According to INTERPOL, the 21-year-old mastermind behind 16Shop was arrested in Indonesia, along with an alleged accomplice. A third suspect was apprehended in Japan. The platform, which sold hacking tools, is believed to have compromised over 70,000 users across 43 countries. However, considering the platform’s longevity and its large customer base, this figure is likely a conservative estimate.
16Shop was more than just a marketplace for hacking tools. It was a fully automated phishing platform that provided its customers with brand-specific phishing kits and the necessary domain names to host phishing pages and collect stolen credentials. The platform used an application programming interface (API) to manage its users, a feature that enabled the operators to cut off access to customers who failed to pay their monthly fee or attempted to copy or pirate the phishing kit.
The platform was also known for its localization capabilities. It could display phishing content relevant to a victim’s geolocation, and it had the ability to collect a wide range of personal information, including ID numbers, passport numbers, social insurance numbers, and credit limits. To avoid detection, 16Shop employed various tactics, such as maintaining a local “blacklist” of IP addresses associated with security companies and enabling users to block entire IP ranges from accessing phishing pages.
The identity of the suspects arrested in connection with the 16Shop investigation has not been disclosed by INTERPOL. However, several security firms have linked the service to a young Indonesian man named Riswanda Noor Saputra, who operated under the hacker alias “Devilscream” (Yes, hacker handles continue to get dumber over time).
Saputra admitted to being the administrator of 16Shop but claimed to have handed over the project to others in early 2020. Despite this, Saputra was arrested by Indonesian police in late 2021 as part of a joint operation between INTERPOL and the U.S. Federal Bureau of Investigation (FBI). Researchers who have been tracking 16Shop since its inception believe that Saputra was not the original proprietor of the phishing platform and that others may continue his work. In a twist of fate, one of the recent administrators of 16Shop appears to have accidentally infected their own machine with the Redline information-stealing trojan.
This was discovered by Constella Intelligence, a data breach and threat actor research platform. The infected administrator, who used the nicknames “Rudi” and “Rizki/Rizky,” is believed to be Rizky Mauluna Sidik from Bandung in West Java, Indonesia. Sidik, who did not respond to requests for comment, is listed as the CEO and founder of BandungXploiter, a group primarily focused on hacking and defacing websites, according to one of his Facebook profiles.
Editorial note: it is entirely possible that as a species, we are getting dumber and dumber. Think about this for a second – this guy publicly listed himself as the CEO of a company that …does crimes.