Privacy, Network Security

4-year hunt for xDedic Marketplace admins, users leads to 19 arrests

A colorful keyboard and handcuffs.

Four years after authorities took down the xDedic Marketplace, 19 individuals were arrested for their various roles in one of the world’s largest platforms for trading access to compromised servers.

Also a market for buying and selling stolen personal information, XDedic was shuttered in January 2019 by an international operation that included the FBI, Europol and law enforcement in Belgium and Ukraine.

Authorities said at the time the site, which operated for about five years, was responsible for more than $68 million in fraud. Criminals used access to the compromised servers for a range of illegal activities including tax fraud and ransomware attacks.

“In the years that followed the takedown of the xDedic Marketplace, the U.S. Attorney’s Office investigated and charged individuals involved in every level of the website’s operation, including its administrators, server sellers, and buyers,” Roger B. Handberg, U.S. Attorney for the Middle District of Florida, said in a Jan. 4 statement.

The 19 arrests, of individuals from six nationalities, were the result of cooperation with law enforcement agencies in Belgium, Ukraine, the Netherlands and Germany, as well as Europol.

“The administrators practiced exceptional operational security, operating the website across a widely distributed international network, and utilizing cryptocurrency in order to hide the locations of the Marketplace’s underlying servers and the identities of its administrators, sellers, and buyers,” Handberg said.

Marketplace user bilked over $60 million from IRS

Eleven of those arrested have so far been sentenced to prison terms ranging from 12 months to 6 ½ years, while a twelfth man was given five years’ probation. Five others are awaiting sentencing, and two UK citizens are facing extradition to the U.S.

Seven of those already convicted are U.S. residents while the others are from the UK, Russia, Ukraine, Moldova and Nigeria.

Among those jailed for their involvement in the marketplace were Alexandru Habasescu, 31, from Moldova, and Pavlo Kharmanskyi, a 32-year-old Ukrainian. Habasescu was xDedic’s lead developer and technical mastermind, while Kharmanskyi promoted the website, paid administrators, and provided customer support to buyers.

Habasescu was taken into custody in the Spanish Canary Islands in 2022 and extradited to the United States, while Kharmanskyi was arrested at the Miami International Airport in 2019 as he attempted to enter the United States. Habasescu and Kharmanskyi were sentenced to 41 months and 30 months in prison, respectively.

Nigerian national Allen Levinson, 31, was one of three people associated with xDedic’s to receive a 6 ½-year prison sentence. He was described as a prolific buyer on the marketplace who was particularly interested in purchasing access to the servers of U.S.-based Certified Public Accounting (CPA) firms.

Authorities said he used information from those servers to file hundreds of false tax returns with the IRS, requesting more than $60 million in fraudulent tax refunds. Levinson was taken into custody in the UK in 2020 and extradited to the U.S.

Top seller listed 35,000 compromised credentials

One of the most prolific sellers on the xDedic Marketplace, 29-year-old Russian Dariy Pankov, obtained more than $350,000 from listing for sale the credentials of more than 35,000 compromised servers located around the world.

Authorities said Pankov developed and used a malicious software application to decrypt login credentials he then sold. Pankov was taken into custody in the Republic of Georgia in 2022 and extradited to the United States where he was sentence to five years in federal prison.

In total, access to more than 700,000 compromised servers was offered for sale on the xDedic Marketplace, including at least 150,000 located in the United States.

Victims of the platform spanned the globe and were from a wide range of industries. Affected servers belonged to local, state, and federal governments, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.