FBI and Dutch cyber police team up to seize 39 shadowy domains in Operation Heart Blocker


A coordinated effort between the US Department of Justice (DoJ) and Dutch cyber police has led to the takedown of a Pakistan-based network of online hacker marketplaces, otherwise known as HeartSender.

A total of 39 domains and their associated servers were seized earlier this week as part of “Operation Heart Blocker.” the DoJ said.

The Pakistan-based HeartSender network and its group of administrators – known as Saim Raza – have been operating outside of law enforcement for nearly a decade, formerly under the hacker pseudonym “The Manipulators,” according to security researcher and investigative blogger Brian Krebbs.

ADVERTISEMENT

Krebbs, who described the group as “a sprawling web hosting network of phishing and spam delivery platforms,” said that last January, The Manipulators pleaded with him to re-publish previously written articles on the group mainly due to their “turning over a new leaf and gone legitimate.”

“Research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities,” Krebbs said, leaving one to believe it was the group's lack of skills resulting in the criminal network’s demise.

“We have taken down a large international cyber network called HeartSender. Through many different criminal webshops they sold tools to commit digital fraud. In the investigation, we found millions of data of victims worldwide, “ the Netherlands' Cybercrime Team of the East Brabant (Oost-Brabant) regional police unit posted on X Thursday.

Dutch police further noted it discovered the usernames and passwords of at least 100,000 Dutch citizens on the marketplaces “that may have been abused by cybercriminals.”

According to the US court affidavit filed to issue the seizures, Saim Raza used the network of cybercrime websites since at least 2020 “to sell phishing toolkits and other fraud-enabling tools to transnational organized crime groups.”

The tools were subsequently used to target numerous victims in the United States as well, resulting in over $3 million in victim losses, the DoJ said.

ADVERTISEMENT

Two-year investigation

The Dutch Cybercrime Team said it started investigating Saim Raza at the end of 2022 “after phishing software was found on the computer of a suspect in another investigation.”

It was then realized that an investigation into Saim Raza was already underway in the US, leading the two nations to work together to take down the group and to the seizure notices seen splashed across the confiscated website domains this week.

“This domain has been seized in accordance with a seizure warrant… as part of a coordinated law enforcement operation and action by: The US Department of Justice's Computer Crime & Intellectual Property Section, the Federal Bureau of Investigation, and the Dutch National Police,” the seizure banner read.

Operation Heart Blocker
Image by Department of Justice

Although slammed by Krebbs for its sloppy operations, Dutch police claimed the criminal group acted “very professionally.”

With thousands of customers worldwide, Dutch police said HeartSender would use “many different criminal web shops” – many of them advertised on YouTube – to sell its wares, including general hacker tools such as "Senders, Scampaigns, and Cookie grabbers."

Krebbs further listed several specific “popular spamming and phishing services” offered by the group, such as “Fudtools, Fudpage, Fudsender, and FudCo,” explaining that the ‘F-U-D’ in those names is an acronym for “Fully Un-Detectable.”

“A cybercriminal can use these tools to send large amounts of spam or phishing emails or use them to steal someone's login details," Dutch officials said.

“In addition, cybercriminals could also buy access to hacked infrastructure, such as cPanels (control panels of web servers), smtp servers (servers used to send e-mail messages) and WordPress accounts (system to manage websites),” it explained.

ADVERTISEMENT
justinasv Paulina Okunyte Gintaras Radauskas Niamh Ancell BW
Join 25,260+ followers on Google News

Dutch police said it is still in the process of investigating the makers of these phishing tools as well as “a number of buyers,” which include several Dutch nationals, and have provided a link for individuals to see if their login details appear in the checked dataset.

The HeartSender bust-up was announced on the same day as another major international take-down, this time of Hacker marketplaces Cracked[.]io, Nulled[.]to, MySellIX[.]io, and StarkRDP[.]io.

Nicknamed ‘Operation Talent,’ the four-plus domains had been operating for over half a decade, pulling in over $5 million in yearly revenue combined with nearly 10 million users, the Department of Justice revealed in seizure documents.