The Justice Department today announced the seizure of Rydox, an illicit website and marketplace dedicated to selling stolen personal information, access devices, and other tools for carrying out cybercrime and fraud, and the arrest of Rydox administrators and Kosovo nationals Ardit Kutleshi, 26, and Jetmir Kutleshi, 28. Both defendants were arrested earlier today in Kosovo by Kosovo law enforcement pursuant to a U.S. request for extradition. They are currently awaiting extradition to the United States to face an indictment unsealed today in the Western District of Pennsylvania.
A third administrator of the Rydox marketplace, Kosovo national Shpend Sokoli, was also arrested earlier today in Albania by Albania’s Special Anti-Corruption Body (SPAK). Sokoli is expected to be charged and prosecuted in Albania.
According to the indictment, the Rydox marketplace has conducted over 7,600 sales of personally identifiable information (PII), stolen access devices, and cybercrime tools, which generated at least $230,000 in revenue since its inception in or around February 2016. These sales included PII, credit card information, and login credentials stolen from thousands of victims residing in the United States. In addition, the Rydox site has offered for sale at least 321,372 cybercrime products to over 18,000 users including stolen PII such as names, addresses, and social security numbers; access devices such as stolen credentials for online accounts and credit card information; and cybercrime tools such as scam pages, spamming logs, and spamming tutorials.
“The indictment alleges that, for more than eight years, the defendants administered an illicit online marketplace that sold PII, credit card information, and login credentials that had been stolen from thousands of U.S. victims,” said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division. “Today, we announce that, working with our domestic and foreign law enforcement partners, we have dismantled the marketplace, arrested its administrators, and seized their criminal proceeds. This announcement is a powerful demonstration of the value of our partnerships on cybercrime, without which these arrests and seizures would not have been possible.”
“The Rydox marketplace was a one-stop shop where upwards of 18,000 of its cybercriminal customers could choose from more than 300,000 cybercrime tools,” said U.S. Attorney Eric G. Olshan for the Western District of Pennsylvania. “While cybercrime often involves conduct occurring overseas and the actions of foreign nationals, its harms can be devastatingly local, with residents in our own communities suffering financial ruin as a result of the theft and misuse of their sensitive personal information. Today’s takedown reinforces our steadfast message that the Western District of Pennsylvania and our domestic and international law enforcement partners will use every available tool to hold accountable those who pursue illicit profit at the expense of ordinary citizens around the world.”
“The success of this international operation underscores the power of collaboration between the FBI and our partners worldwide,” said Special Agent in Charge Kevin Rojek of the FBI Pittsburgh Field Office. “It also serves as a clear warning: those who go after innocent people for financial gain will be pursued and brought to justice no matter where they are in the world. This operation marks a major blow against the criminal underground that seeks to profit from stolen information and fuels global cybercrime.”
As part of the actions announced today, the United States also obtained judicial authorization to seize the domain www.Rydox.cc, which hosted and facilitated access to the Rydox website. The seizure of this domain by the government will prevent the owners and third parties from using the site to continue to buy and sell cybercrime tools and stolen personal information. Anyone visiting this site will now see a seizure banner that notifies them that the domain has been seized by federal authorities.
In coordination with today’s actions, the FBI and Royal Malaysian Police seized servers in Kuala Lumpur, Malaysia, that hosted the Rydox illicit marketplace and took the Rydox website offline. The United States also obtained judicial authorization to seize approximately $225,000 worth of cryptocurrency from accounts controlled by the defendants.
Ardit Kutleshi and Jetmir Kutleshi are each charged with two counts of identity theft, one count of conspiracy to commit identity theft, one count of aggravated identity theft, one count of access device fraud, and one count of money laundering, all arising from their roles as administrators of the Rydox website. If convicted, they each face a maximum penalty of 20 years in prison for the money laundering offense, a maximum penalty of 10 years in prison for the access device fraud offense, a maximum penalty of five years in prison for each of the identity theft offenses, and a mandatory minimum sentence of two years in prison for the aggravated identity theft charge, which is required to run consecutively to any other sentence imposed. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
The FBI Pittsburgh Field Office investigated this case in coordination with the Kosovo State Prosecutor’s Special Prosecution Office, Kosovo Police’s Cybercrime Investigation Directorate, SPAK, Attorney General’s Chambers of Malaysia, and Royal Malaysia Police’s Commercial Crime Investigation Department.
Senior Counsel Thomas Dougherty of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Nicole Stockey for the Western District of Pennsylvania are prosecuting the case. The Justice Department’s Office of International Affairs provided significant assistance.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.