E-Root Admin Faces 20 Years for Selling Stolen RDP, SSH Accounts

Cyber Security Threat Summary:
Sandu Diaconu, the operator of the E-Root marketplace, has been extradited to the U.S. to face a maximum imprisonment penalty of 20 years for selling access to compromised computers. The Moldovan defendant was arrested in the U.K. in May 2021 while attempting to flee the country following the authorities' seizure of E-Root's domains in late 2020. Last month, Diaconu consented to be extradited to the United States for wire fraud, money laundering, computer fraud, and access device fraud” (Bleeping Computer, 2023).

E-Root was a cybercriminal marketplace that offered access to breached computers worldwide in exchange for cryptocurrency. Aside from imprisonment, U.S. law enforcement are looking to recover payments made through these illegal activities.

During it’s lifespan, the marketplace listed over 350,000 compromised systems for sale. These included computers from a broad range of industries, and at least one government system in Tampa, Florida. Users of the site could use search tools to navigate via price range, region, ISP, operating system, RDP or SSH access, and more.

Security Officer Comments:
To avoid takedowns and evade detection, E-Root operated across a widely distributed network and featured protections to mask the real identities of vendors, buyers, and administrators. The market also operated a dedicated cryptocurrency exchange service that enabled users to convert between Bitcoin and Perfect Money, an otherwise legal encrypted electronic transactions service.

According to the U.S. Department of Justice (DoJ), there have been many confirmations of access purchased through E-Root used for cybercrime activities, including ransomware attacks. The department notes that many of the victims were subject to ransomware attacks and some of the stolen credentials were used for identity theft and tax fraud.

Diaconu has not yet pleaded guilty to the charges outlined in the indictment and is presumed innocent until proven guilty.

Initial access brokers (IAC) have been a large driver in the ever growing ransomware landscape. Ransomware operators no longer need to develop capabilities for initial access, instead they will simply purchase initial access from other cybercriminals. In some cases, access may have been obtained through phishing, vulnerable systems, or via insider threats. The IAC market has been very lucrative, and because they are not carrying out the actual ransomware attacks, many of these actors can stay under the radar of law enforcement.