DOJ, Allies Seize Cybercrime Forums Affecting 17 Million-Plus Americans
The United States and international allies shut down two underground cybercriminal forums, including one that officials said affected at least 17 million Americans since 2018.
In Operation Talent, announced in the last days of January, investigators seized the infrastructure of the two marketplaces – Nulled and Cracked – and the U.S. Justice Department (DOJ) indicted a 29-year-old Argentinian who was one of the administrators of Nulled, which listed more than 43 million posts advertising cyber tools and stolen data and generated more than $1 million in annual revenue.
The operation involved investigators from the United States as well as Romania, Australia, France, Germany, Spain, Italy, and Greece, and was supported by Europol.
Evan Dornbush, a former NSA cybersecurity expert who in 2014 founded Point3 Security and was its CEO until 2023, said the crackdown should ripple through the cybercriminal world, at least for now.
“Historically, attackers can more easily obtain information and tools than defenders, giving them a perpetual advantage,” Dornbush said. “Actions like this make it more expensive for cybercriminals to operate and ultimately this is a good thing. Lesser players who rely on purchasing tools and network access from these two marketplaces won’t be able to get started, raising the barrier to entry for their criminal enterprise aspirations.”
Nulled Forum
The Nulled marketplace, which has been operating since 2016, has been a place for bad actors to buy stolen login credentials, identification documents, and hacking and other tools, according to the DOJ. The site had more than 5 million users and one product that was advertised on Nulled allegedly included the names and Social Security numbers of 500,000 U.S. citizens.
Authorities seized the Nulled servers and domain, which now shows a banner notifying anyone visiting the site that it has been taken over by law enforcement.
In an indictment, Lucas Sohn, the Argentinian citizen, was an administrator of the forum and provided escrow services that customers could use to complete transactions involving stolen credentials and similar information. He faces multiple conspiracy charges, including trafficking in stolen passwords and other information, offering information to others to access devices, and transferring stolen IDs to others.
FBI investigators in 2020 got a copy of Nulled’s database that held registration information for all the members of the forum and included Sohn’s registration email address. According to the indictment, Sohn had been a moderator on Nulled since at least 2017, and he was one of three administrators that investigators were focusing on.
Cracked’s Wide Reach
The Cracked marketplace has been selling similar wares – hacking tools and stolen credentials and other information – since 2018, according to a law enforcement seizure warrant. Users also could buy servers for hosting malware and stolen data.
More than 4 million people used Cracked, which listed more than 28 million posts advertising what it offered and generated more than $4 million in revenue every year. One advertisement offered access to “billions of leaked websites” that hackers could search through and recently was used to sexually extort and harass a woman in western New York, according to the DOJ.
“Specifically, a cybercriminal entered the victim’s username into the tool and obtained the victim’s credentials for an online account,” the DOJ said. “Using the victim’s credentials, the subject then cyberstalked the victim and sent sexually demeaning and threatening messages to the victim.”
Overall, the marketplace’s operations affected at least 17 million victims in the United States.
Operation Talent investigators identified servers used to host the Cracked infrastructure and eight domain names used to operate the marketplace. They also found and seized the servers and domains for Sellix, Cracked’s payment processor, as well as a server and domain name for what they called a “related bulletproof hosting service.”
Anyone accessing the domains will now see a banner saying the domains were seized by law enforcement.
