Takedown of 39 Saim Raza cybercrime websites
The Justice Department announced today the coordinated seizure of 39 domains and their associated servers in an international effort against a Pakistan-based network of online marketplaces selling hacking and fraud-enabling tools operated by a group known as Saim Raza (also referred to as HeartSender). The seizures were carried out in coordination with the Dutch National Police.
According to the affidavit filed in support of these seizures, Saim Raza has been using these cybercrime websites since at least 2020 to sell phishing toolkits and other fraud-enabling tools to transnational organized crime groups, which targeted numerous victims in the United States, leading to over $3 million in victim losses.
The Saim Raza-run websites operated as marketplaces that advertised and facilitated the sale of tools such as phishing kits, scam pages, and email extractors, often used to build and maintain fraud operations. Not only did Saim Raza make these tools widely available on the open internet, it also trained end users on how to use the tools against victims by linking to instructional YouTube videos on how to execute schemes using these malicious programs, making them accessible to criminal actors that lacked this technical criminal expertise. The group also advertised its tools as “fully undetectable” by antispam software.
Transnational organized crime groups and other cybercrime actors primarily used these tools to facilitate business email compromise schemes, tricking victim companies into making payments to a third party. Those payments were instead redirected to a financial account controlled by the perpetrators, resulting in significant losses for the victims. These tools were also employed to acquire victim user credentials, utilizing those credentials to further these fraudulent schemes. Seizing these domains aims to disrupt the ongoing activity of these groups and halt the proliferation of these tools within the cybercriminal community.
Takedown of Cracked
The Justice Department also announced its involvement in a multinational operation targeting the online cybercrime marketplaces known as Cracked (cracked.io) and Nulled (nulled.to). This operation includes actions taken in the United States, Romania, Australia, France, Germany, Spain, Italy, and Greece to disrupt and dismantle the infrastructure of these marketplaces. The initiative was revealed alongside Operation Talent, a multinational law enforcement effort supported by Europol to investigate Cracked and Nulled.
According to seizure warrants unsealed today, the Cracked marketplace has been selling stolen login credentials, hacking tools, and servers for hosting malware and stolen data — as well as various tools for facilitating cybercrime and fraud — since March 2018. Cracked had over four million users, listed more than 28 million posts advertising cybercrime tools and stolen information, generated approximately $4 million in revenue, and impacted at least 17 million victims in the United States. One product advertised on Cracked offered access to “billions of leaked websites,” enabling users to search for stolen login credentials. This product was recently allegedly utilized to sextort and harass a woman in the Western District of New York. Specifically, a cybercriminal entered the victim’s username into the tool and obtained her credentials for an online account. Using the victim’s credentials, the suspect then cyberstalked her and sent sexually demeaning and threatening messages. The seizure of these marketplaces aims to disrupt this type of cybercrime and the spread of these tools in the cybercrime sector community.
The FBI, in coordination with foreign law enforcement partners, identified a series of servers that hosted the Cracked marketplace infrastructure, along with eight domain names used to operate Cracked. They also pinpointed servers and domain names for Cracked’s payment processor, Sellix, as well as the server and domain name for a related bulletproof hosting service. All of these servers and domain names have been seized under both domestic and international legal processes. Anyone visiting these seized domains will now see a banner indicating that the domain has been seized by law enforcement authorities.
Takedown of Nulled
The Justice Department announced the seizure of the Nulled website domain and unsealed charges against one of Nulled’s administrators, Lucas Sohn, 29, an Argentinian national residing in Spain. According to the unsealed complaint affidavit, the Nulled marketplace has been selling stolen login credentials, stolen identification documents, hacking tools, and various other tools for committing cybercrime and fraud since 2016. Nulled had over five million users, posted more than 43 million advertisements for cybercrime tools and stolen information, and generated approximately $1 million in yearly revenue. One product advertised on Nulled claimed to contain the names and social security numbers of 500,000 Americans citizens.
The FBI, in coordination with foreign law enforcement partners, has identified the servers that hosted the infrastructure of the Nulled marketplace and the domain used to operate it. These servers and domain have been seized under domestic and international legal processes. Anyone who visits the Nulled domain will now see a seizure banner informing them that the domain has been taken over by law enforcement authorities.
According to the complaint, Sohn was an active administrator of Nulled and performed escrow functions on the website. Nulled’s customers used Sohn’s services to complete transactions involving stolen credentials and other information. For his actions, Sohn faces charges of conspiracy to traffic in passwords and similar information that allow unauthorized access to computers; conspiracy to solicit another person for the purpose of offering an access device or selling information about an access device; and conspiracy to possess, transfer, or use another person’s identification with the intent to commit or assist in any unlawful activity that violates federal law law.
If convicted, Sohn could receive a maximum sentence of five years in prison for conspiracy to traffic in passwords, ten years for access device fraud, and fifteen years for identity fraud.
