Hacker “Sanix” Is Selling Large Amount of Hacked User Credentials


The Ukrainian Secret Service (SSU) today announced the arrest of a hacker known as Sanix, responsible for selling billions of stolen credentials on telegram networks and hacking forums.

The SSU states that Sanix was arrested in Ivano-Frankivsk, a city in western Ukraine. Officials have not provided a name for the hacker.

Sanix has a long history of working on underground hacking sites, where he was first spotted as far back as 2018.

The person was what would be considered a data broker by security experts. He obtained leaked data from compromised companies and stored the information in vast lists of usernames and passwords.

Then Sanix would resell the data to other underground cybercrime threat actors such as spam groups, password crackers, account hijackers and brute-force botnets operators.

Sanix, who also worked on Telegram under Sanixer ‘s username, is responsible for initially compiling a collection of user and password combos called Collection # 1, # 2, # 3, # 4, # 5, Antipublic, and others. These collections contained terabytes of data, and billions of unique combinations of username-passwords.


For years, these collections have been sold out in private. Nonetheless, some of these collections leaked online after a dispute with another data broker — Azatej, the individual behind Infinity Black, a web platform for the sale of stolen accounts, according to threat intelligence company IntSights.

Around the time, in January 2019, despite being only a mixture of old hacked data, the Azatej / Sanix leaks attracted an insane amount of media attention, exposing the world to the idea of “combolists” — massive sets of old data, which has now become the commodity of a hacker. Collection # 1 has also got its own Wikipedia article today.

Azatej, who first leaked Collection # 1, and then the other items, was detained in Poland earlier this month as part of an operation by Europol against the Infinity Black web service.

In today’s press release, the SSU says it has found copies of Collection # 1 on Sanix ‘s computer, along with “at least seven similar stolen and corrupted password databases.”

In addition to gathering usernames and passwords, Ukrainian officials said the Sanix machine also stored information on bank card PIN codes, cryptocurrency wallets, PayPal account logins, and DDoS botnets.

SSU officials said after a house search they seized 2 TB of data, $3,000, and 190,000 Ukrainian hryvnias (~$7,000) from Sanix ‘s residence. Below is a video about the arrest of Sanix released by Ukrainian authorities today.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.