Russian police have arrested two teenage hackers for breaching, hijacking, and selling access to over 700,000 online accounts at Russian-based online stores, payment systems, and bookmaking/betting portals.

Russian cyber-security firm Group-IB aided authorities with the investigation. A Group-IB spokesperson said the company first became aware of the two hackers in November 2015, when they carried out a large-scale dictionary attack and compromised over 120,000 accounts at a large Russian online store.

Grop-IB believes the hackers used user passwords that became public via data breaches to gain access to the hacked accounts by performing dictionary attacks.

Hacker duo sold access to hijacked accounts

Investigators said the two hackers searched for accounts on that specific online store that had received bonuses for large purchases or had been added to various loyalty programs.

The two put up advertisements on hacking forums, selling access to these accounts for prices of $5 per account or 20-30% of the nominal balance of the sold account. Buyers used access to the hacked accounts to buy products with that account's bonuses.

In some cases, the two hackers also offered "hijacking" services that included changing the account's phone number and email. Group-IB says the two charged 10% of that account's balance.

After their presence on the online store's network was discovered in early 2016, and after the store reacted by boosting security measures, the two expanded their attacks to other online stores and various other site types.

The duo also started accepting tips about online stores and sites with bonus programs they could attack, promising tipsters a 50% cut from the money they made selling access to any hacked accounts.

"To cover their tracks and hamper the companies’ security services, the hackers launched their attacks from different IP-addresses, using anonymizers and changing the digital fingerprint of the browser (User-Agent). In all, requests for authorization came from more than 35,000 unique IP addresses," a Group-IB spokesperson told us.

Hackers made at least $7,900. Possibly more

Investigators believe the two made over 500,000 rubles (roughly $7,900) from selling access to hijacked accounts, but police say the real amount of damage remains to be determined.

Police arrested the duo after Group-IB was able to determine their real-world identities. Russian authorities have not released the hackers' names but said the group's leader is a 19-year-old from the Ryazan region, while his co-conspirator is an 18-year-old from the Astrakhan region.

In a press release from the Ministry of Internal Affairs, authorities reveal they have filed charges, and a judge has put the two under house arrest while the investigation continues and legal procedures get underway.

Last week, Ukrainian police also arrested a hacker on charges of breaking into people's online accounts and then advertising access to these accounts on hacking forums. That hacker previously advertised his "hacking services" via a now-defunct website located at websitexakercki-poslygu.hol.es.