The service was actively advertised not only on the darknet, but also on the open Internet.
More than 23 thousand hacked databases have been published on several hacker forums and Telegram channels - an incident that experts have already called the largest leak of its kind.
The databases leaked from the Cit0Day.in service advertised on cybercriminal forums. The service collects compromised databases and provides access to usernames, email addresses, residential addresses, and even unencrypted passwords for a daily or monthly fee. Cybercriminals use these passwords to hack user accounts on other sites.
Cit0Day is not a unique service - LeakedSource and WeLeakInfo already existed before it, turned off by law enforcement agencies in 2018 and 2020, respectively. Cit0Day was launched in January 2018 - right after the closure of LeakedSource. The service was actively advertised not only on the darknet, but also on the open Internet, in particular on the BitcoinTalk website. However, it suffered the same fate as its predecessors - on September 14, 2020, Cit0Day was disabled, and instead, a notification from the FBI and the US Department of Justice about the disconnection is now displayed.
According to rumors circulating on hacker forums, the creator of Cit0Day, someone Xrenovi4, has been arrested. However, according to ZDNet, some signs indicate that the notification is fake. According to KELA specialist Raveed Laeb, the notice was copied from this notice posted on the hacker site Deer.io. In addition, the FBI and the US Department of Justice are shutting down cybercriminal sites at the same time as their operators are being charged, which is reported to the public, but nothing of the kind has been reported in Cit0Day's case.
After the shutdown of the Cit0Day site, all its databases were in the public domain. Last month, they were published on a well-known Russian-language forum for free download either by Xrenovi4 itself or by a competing hacker group.A total of 23,618 databases (50 GB, records of 13 million users) were published on the MEGA portal, but only stayed there for a few hours, and then were deleted by the MEGA administration. Nevertheless, these few hours were enough for the database to spread across the Web. Since October, the Cit0Day database has been distributed via Telegram and Discord channels. On Sunday, November 1, the data was published once again on a well-known cybercrime forum.