Australian man sentenced for running stolen subscription service credentials
An investigation into stolen subscription service credentials by the Australian Federal Police (AFP) has resulted in a two years and two months’ sentence for a man from Sydney.
The 23-year-old was handed the sentence, to be served by way of an intensive corrections order, for his involvement as the creator, administrator, and primary financial beneficiary of a number of online subscription services which relied on stolen credentials.
He has also been ordered by the court to serve 200 hours of community service.
The sentencing follows the execution of a search warrant in March at a Dee Why residence, which resulted in the seizure of a laptop that was used to run the operation and around AU$35,000 in cryptocurrency.
The combined assets of the restrained property has a current value of approximately AU$1.65 million.
The investigation began after the Federal Bureau of Investigation (FBI) referred information to the AFP in May 2018.
The information, AFP said, was regarding an account generator website called WickedGen. WickedGen operated for approximately two years selling stolen account details for online subscription services, including Netflix, Spotify, and Hulu.
The AFP said it further identified the Sydney man to be the creator, administrator, and primary financial beneficiary of a further three “account generator” websites: HyperGen, Autoflix, and AccountBot.
The account details of users in Australia and abroad were confirmed through credential stuffing — which allows a list of previously stolen or leaked usernames, email addresses, and corresponding passwords to be re-used — and sold for unauthorised access.
According to the AFP, across the four subscription services, the offender had at least 152,863 registered users and provided at least 85,925 subscriptions to illegally access legitimate streaming services.
The man received at least AU$680,000 through PayPal, the AFP said, by selling subscriptions through these sites.
“The harvesting and selling of personal details online was not a ‘victimless crime’ — these were the personal details of everyday people being used for someone’s greed,” AFP cybercrime operations commander Chris Goldsmid said.
“These types of offences can often be a precursor to more insidious forms of data theft and manipulation, which can have greater consequences for the victims involved.”
The operation was undertaken by the AFP-led Criminal Assets Confiscation Taskforce (CACT).
The CACT was formed in 2011 as part of a multi-agency crackdown on criminal assets, and comprises of the AFP, Australian Criminal Intelligence Commission, Australian Taxation Office, Australian Transaction Reports and Analysis Centre, and Australian Border Force.
The man was charged with “unauthorised access to (or modification of) restricted data, dealing in proceeds of crime etc.” — money or property worth $100,000 or more, providing a circumvention service for a technological protection measure, and dealing in identification information and false or misleading information.