U.S. and Dutch law enforcement agencies have announced that they have dismantled 39 domains and their associated servers as part of efforts to disrupt a network of online marketplaces originating from Pakistan.
The action, which took place on January 29, 2025, has been codenamed Operation Heart Blocker.
The vast array of sites in question peddled phishing toolkits and fraud-enabling tools and was operated by a group known as Saim Raza since at least 2020, which is also known as HeartSender.
These offerings were then used by transnational organized crime groups to target several victims in the United States as part of various business email compromise (BEC) schemes, leading to losses totaling over $3 million.
“The Saim Raza-run websites operated as marketplaces that advertised and facilitated the sale of tools such as phishing kits, scam pages, and email extractors, often used to build and maintain fraud operations,” the U.S. Department of Justice (DoJ) said.
“Not only did Saim Raza make these tools widely available on the open internet, it also trained end users on how to use the tools against victims by linking to instructional YouTube videos on how to execute schemes using these malicious programs, making them accessible to criminal actors that lacked this technical criminal expertise.”
The tools advertised on the marketplaces also made it possible to harvest victim user credentials, which were subsequently put to use to further the fraudulent schemes, the DoJ added.
In a coordinated statement, Dutch police officials said the criminal group sold various programs to facilitate digital fraud, which could be employed by cybercriminals to send phishing emails at scale or steal login credentials. The service is estimated to have had thousands of customers prior to its shutdown.
Users can check if they are among those impacted by credential theft by visiting the URL “www.politie[.]nl/checkjehack” and entering their email addresses.
The cybercrime entity, also referred to as The Manipulaters, was first exposed by independent security journalist Brian Krebs in May 2015, with a report from DomainTools last year identifying operational security lapses indicating that several systems associated with the threat actors have been compromised by stealer malware.
“Though lacking the technical sophistication many other large cybercrime vendors have, their most notable characteristic is being one of the earliest phishing-focused cybercrime marketplaces to horizontally integrate their business model while also spreading their operations across several separately branded shops,” the company said.
“Evidence suggests that new members have joined and at least one early member of The Manipulaters left the group. They appear to have a physical presence in Pakistan, including Lahore, Fatehpur, Karachi, and Faisalabad.”
The development follows the takedown of online criminal marketplaces such as Cracked, Nulled, Sellix, and StarkRDP as part of a coordinated law enforcement operation dubbed Talent towards the end of January 2025.
