Full Report
Ardit Kutleshi, 26, and Jetmir Kutleshi, 28, were arrested in Kosovo by local law enforcement on Thursday and U.S. officials submitted a request for extradition through an indictment unsealed in the Western District of Pennsylvania. Another operator was also arrested and is expected to be prosecuted in Kosovo.
Analysis Summary
# Threat Actor: Rydox Marketplace Operators (Ardit Kutleshi, Jetmir Kutleshi, Shpend Sokoli)
## Attribution & Identity
The threat activity is centered around the operators of the cybercriminal marketplace named Rydox: Ardit Kutleshi (age 26) and Jetmir Kutleshi (age 28), both Kosovan nationals, and Shpend Sokoli, also a Kosovan national. The operators were arrested by U.S. justice officials, local Kosovan law enforcement, and Albania's Special Anti-Corruption Body (SPAK).
## Activity Summary
The primary activity revolves around running and profiting from the cybercriminal marketplace called Rydox, which operated from 2016 until its takedown. The platform was used to facilitate the sale of stolen personal information, device access, and tools for cybercrime and fraud to approximately 18,000 users. Gross revenue generated was estimated to be at least $230,000 through over 7,600 sales transactions.
## Tactics, Techniques & Procedures
The primary "TTP" described is the operation of a darknet/cybercrime marketplace for illicit sales and distribution.
- Operation of a cybercriminal marketplace for the sale of stolen data and fraud tools.
- Requiring user deposits prior to product purchasing/approval.
- Selling "fullz" packages (name, address, SSN, DOB, driver's license, email).
- Selling Social Security numbers and guides on creating scam pages.
## Targeting
- Sectors: Not explicitly stated beyond the general cybercrime market, but victims are individuals whose data was stolen.
- Geography: Primary victims whose data was sold were U.S. residents. The operators were arrested/prosecuted in Kosovo and Albania.
- Victims: Thousands of U.S. residents whose Personal Identifiable Information (PII) and financial data were sold.
## Tools & Infrastructure
- Malware families used: None explicitly mentioned, though the sale of "device access" implies malware or access tools were trafficked.
- Infrastructure (C2, domains, IPs):
- Domain: `www.rydox[.]cc` (Seized by the U.S. DOJ)
- Hosting: Servers located in Kuala Lumpur, Malaysia (Taken down with assistance from the Royal Malaysian Police)
## Implications
The successful disruption of Rydox represents a significant blow to the underground infrastructure supporting identity theft and financial fraud, specifically targeting U.S. individuals. The coordination between multiple international law enforcement agencies (U.S., Kosovo, Albania, Malaysia) highlights the increasing multinational effort to dismantle these support platforms.
## Mitigations
- Continued collaboration between international law enforcement agencies to target and dismantle illicit cybercriminal marketplaces.
- Monitoring for the emergence of successor platforms catering to the 18,000 existing users of Rydox.
- Enhanced data security practices to prevent the large-scale theft of PII and financial credentials being sold on these platforms.