“This defendant thought that he could get away with defrauding thousands of victims out of hundreds of thousands of dollars by using fake names and hiding behind a keyboard to steal bank account and credit card numbers,” said U.S. Attorney Michael DiGiacomo in a release.
The alleged marketplaces: market0day.com and spoxy.us
Federal prosecutors say an Algerian man known online as “SPOX” created and ran two illicit e-commerce–style marketplaces that sold the raw tools of financial fraud. According to court documents, market0day.com and spoxy.us offered financial credentials, phishing kits, compromised email server access and other software and services used to carry out fraud. The sites accepted only Bitcoin for transactions, and investigators say the marketplaces operated much like commercial platforms, enabling customers to browse and buy discrete criminal capabilities.
Undercover purchases and the FBI’s early probe
The FBI began investigating the marketplaces in September 2020 after receiving information from a confidential source. Undercover agents used the site to buy a phishing kit designed to replicate JPMorgan Chase’s login page and to purchase access to a compromised email server. A third purchased item — access to a website control panel — was paid for but never delivered; customer complaints about that failure surfaced on the operator’s Telegram channel. Shortly after those complaints, the marketplace administrator announced market0day.com was closing and redirected customers to spoxy.us, describing it as a “new store for bulk sms.”
Digital footprints that investigators say led to Abdellah Belmili
Investigators say they tied the marketplaces to Abdellah Belmili, 26, through a mix of open-source research, search warrants and records obtained from technology and financial companies. Early versions of phishing kit source code allegedly included the full name “Dila Belmili,” a Telegram handle and a link to the marketplaces. Facebook profiles connected to the alias “spox_coder” reportedly listed “Dila Belmili (spox)” as the display name, and customers had posted complaints directly on that profile.
Records from Google showed a personal email account used to search for financial-institution logos, hacking tools, and methods for generating fake identities and credit card numbers. That same account allegedly received about 1,400 emails containing stolen personal information harvested by active phishing kits targeting American Express, Bank of America, Cash App, JPMorgan Chase, PayPal and Wells Fargo. Investigators also say Belmili built hidden backdoors into phishing kits he sold, enabling continued harvesting of victim data even after kits changed hands.
Financial flows, scope and criminal charge
Prosecutors say cryptocurrency records from Binance show roughly $900,000 deposited into an account registered to Belmili between January 2020 and January 2023. About $760,000 of that amount was reportedly transferred to other accounts or converted into other forms of cryptocurrency, while roughly $41,000 was withdrawn from ATMs. Investigators identified approximately 595 distinct phishing kits created by the operator, and analysis of victim data exported to Telegram pages and email accounts tied to the operation identified roughly 5,600 victims in the United States and internationally.
Belmili was extradited from Spain earlier this month and made an initial appearance in the U.S. District Court for the Western District of New York in Buffalo. He is charged with a single count of conspiracy to commit bank fraud, a charge that carries a maximum sentence of 30 years in prison.
What this means for technologists, enterprises, and the public
- Technologists and security teams: The prosecutors’ account highlights how attackers package and resell phishing kits and compromised access, and how hidden backdoors can persist after resale — factors defenders must anticipate when analyzing incidents or threat intelligence.
- Affected enterprises and financial institutions: The list of targeted brands observed in stolen data — American Express, Bank of America, Cash App, JPMorgan Chase, PayPal and Wells Fargo — underscores that customer-facing login flows and email infrastructure remain primary targets for fraud tooling sold on criminal marketplaces.
- End users and the public: The reported 5,600 victims and the harvest of emails containing stolen personal information emphasize the downstream human toll when phishing kits are widely distributed and reused by other criminals.
The case now proceeds in federal court, where filings and evidence tied to market0day.com and spoxy.us will be tested in open proceedings. Court documents are available for review, and prosecutors say the investigation connected alias, code artifacts and cryptocurrency flows to a single operator who now faces U.S. criminal charges.
Source: CyberScoop — Algerian man charged with running two cybercrime marketplaces
