Moldovan charged, arrested, and extradited for administration of site involved in the illicit sale of compromised computer credentials

 

Date: October 18, 2023

Contact: newsroom@ci.irs.gov

United States Attorney Roger B. Handberg, along with Special Agent in Charge Kareem Carter of the IRS - Criminal Investigation Washington DC Field Office, and Special Agent in Charge David Walker of the FBI - Tampa Division, announces today the extradition and removal from the United Kingdom of Sandu Diaconu (Moldova) for crimes related to his administration of the E-Root Marketplace, a website that operated for years and was used to sell access to compromised computers worldwide, including servers belonging to companies and individuals in the United States. Diaconu had his initial appearance and arraignment before United States Magistrate Judge Thomas G. Wilson on October 16, 2023.

According to the indictment, Diaconu has been charged (along with a sealed co-defendant) with conspiracy to commit access device and computer fraud, wire fraud conspiracy, money laundering conspiracy, access device fraud, and computer fraud. If convicted on all counts, Diaconu faces a maximum penalty of 20 years in federal prison. The indictment also notifies Diaconu that the United States is seeking an order of forfeiture relating to the proceeds of and used in the charged criminal conduct.

Seizure orders were executed against the domain names of the E-Root Marketplace and a public takedown notice was issued at the end of 2020. Diaconu was arrested while attempting to leave the United Kingdom in May 2021. In September 2023, after Diaconu consented, the Westminster Magistrates' Court ordered Diaconu to be extradited to the United States to face the outstanding charges.

According to court documents, the E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers. Buyers could search for compromised computer credentials on E-Root, such as RDP and SSH access, by desired criteria such as price, geographic location, internet service provider, and operating system. The Marketplace also used Perfect Money, an online payment system, to help conceal buyers' payments. It also offered its illicit cryptocurrency exchange service for the purpose of converting Bitcoin to Perfect Money and vice-versa. This exchange was also seized.

Based on evidence obtained during the investigation, authorities believe that more than 350,000 compromised computer credentials were listed for sale on the Marketplace. The victims span the globe and all industries, including a variety of businesses and firms, as well as at least one local government agency in Tampa. Many victims were subject to ransomware attacks, and some of the stolen credentials listed on the Marketplace were linked to stolen identity tax fraud schemes.

The U.S. investigation was led by the IRS - CI Cyber Crimes Unit (Washington, D.C) and the FBI - Tampa Division. Substantial assistance was provided by the IRS-Criminal Investigation's Tampa Field Office, the Department of Justice's Office of International Affairs, IRS-CI and FBI International Operations at Mission UK, the United Kingdom's National Extradition Unit, the United Kingdom's Central Authority, and the United States Marshals Service, Tampa Field Office. The criminal investigation is being overseen by Assistant United States Attorney Rachel Jones and asset forfeiture will be handled by Assistant United States Attorney Suzanne Nebesky.

An indictment is merely a formal charge that a defendant has committed one or more violations of federal criminal law, and every defendant is presumed innocent unless, and until, proven guilty.