Police dismantles HeartSender cybercrime marketplace network

​Law enforcement authorities in the United States and the Netherlands have seized 39 domains and associated servers used by the HeartSender phishing gang operating out of Pakistan.

Also known as Saim Raza and Manipulators Team, the group has operated online cybercrime marketplaces for over a decade, selling hacking and fraud-enabling tools like phishing kits, malware, and spamming services to "transnational organized crime groups."

Despite temporarily reduced activity after infosec journalist Brian Krebs exposed their operations, the gang used multiple branded shops (promoted on YouTube) across many domains to distribute takedown risks and saturate the underground market to deter competition.

The Cybercrime Team of the East Brabant police unit in the Netherlands started investigating their activity at the end of 2022. Investigators from the United States later joined in a joint action dubbed 'Operation Heart Blocker.'

According to a Thursday press release from the U.S. Justice Department, their operations have resulted in over $3 million in losses to victims in the United States alone, with HeartSender datasets containing data stolen from millions worldwide.

"Not only did Saim Raza make these tools widely available on the open internet, it also trained end users on how to use the tools against victims by linking to instructional YouTube videos on how to execute schemes using these malicious programs, making them accessible to criminal actors that lacked this technical criminal expertise. The group also advertised its tools as 'fully undetectable' by antispam software," DOJ said.

"The transnational organized crime groups and other cybercrime actors who purchased these tools primarily used them to facilitate business email compromise schemes wherein the cybercrime actors tricked victim companies into making payments to a third party. These tools were also used to acquire victim user credentials and utilize those credentials to further these fraudulent schemes."

Authorities in the United States and the Netherlands have not announced whether Operation Heart Blocker has resulted in any charges or arrests.

​The Netherlands police also provide a web-based tool for checking whether your data was found in seized HeartSender datasets.

If your email address appears in the dataset, you will receive an email with tips and information about what you should do next. If you get no reply within a few minutes, you were not among the victims of this network with that email address.

This week, authorities from eight countries also shut down Cracked and Nulled, two of the largest hacking forums with over 10 million users.

The joint action, dubbed Operation Talent, also led to the arrest of two suspects in Valencia, Spain, and the seizure of 17 servers and 12 domains used by the two cybercrime platforms (including cracked[.]io, cracked[.]to, and nulled[.]to).

As part of the same operation, the FBI also seized domains used by StarkRDP (starkrdp.io), a Windows RDP virtual hosting provider promoted on both hacking forums and run by the same suspects, and SellIX (sellix.io and mysellix.io), a financial processor used by Cracked members.

The U.S. Justice Department says Cracked ran 28 million ads for cybercrime tools and generated roughly $4 million in revenue, impacting 17 million victims in the United States, while Nulled listed 43 million ads for hacking tools and generated around $1 million in annual revenue.