The U.S. and Dutch Police Seize Cybercrime Website of HeartSender Operating from Pakistan

• The U.S. and the Netherlands police seized a cybercrime market place based in Pakistan.
• Investigations revealed that an operator, Saim Raza, was selling illegal tools from their WordPress website.
• Among the seized assets included 39 servers, domains, phishing tools, millions of login credentials and thousands of customers of the stolen data.

In a joint operation by the U.S. The Department of Justice’s Computer Crime & Intellectual Property Section, the FBI and the Dutch National Police, a phishing software market place based in Pakistan has been taken down.

As part of the legal effort called, ‘Operation Heart Blocker’, assets belonging to the cybercriminal group HeartSender were seized on January 29. 

HeartSender used three websites for cybercrime since 2020 and was operated by a member named Saim Raza. According to a press release by the U.S. Department of Justice, Raza’s extortions led to a loss of over $3 million from U.S. victims alone.

“Even though these people reside abroad, the use of these websites made it easy for them to spread their malicious hacking tools for a fee. However, today we have significantly disrupted their ability to harm others,” the press release added. 

The Netherlands police began investigating the cybercriminal network after they found phishing software in another suspect’s computer. The two nations conducted the raids based on findings of investigations that began in 2022.

Among the seized assets were phishing software in HeartSender’s computers, 39 servers and domains, read a report by the East Brabant police. Some of their tools were named Senders, Campaigns and Cookie Grabbers. 

These tools were used to send phishing emails and steal login details. The web shops were the marketplaces for buying hacked infrastructure including Control Panels of Web Servers (cPanels), smtp servers used to send emails, and WordPress accounts that were used to manage all their websites.

The police noted that HeartSender operators worked systematically and had several criminal web shops that were advertised on social media including YouTube. 

Raza sold scam pages and email extractors on his websites and trained members into fraud using phishing kits and YouTube tutorials. The tools were accessible on the open internet and were marketed as fully undetectable by antispam services. 

HeartSender was serving over a thousand customers globally that are being traced in the ongoing investigation along with all the developers of the phishing malware. 

The transnational group members mainly targeted companies via business email compromise schemes wherein victims were tricked into making payments to a ‘third party.’ The payments would be redirected to the cyberciminal’s account. 

The login details of the victims would be further exploited by fraud. Investigators found millions of login credentials from around the world including 100,000 Dutch information. 

The East Brabant police shared the ‘Check je Hack’ link https://www.politie.nl/informatie/checkjehack.html” to find and report if one’s username and password were in it. 

Reiterating the same, they added, “You can enter your email address here. If your email address appears in the dataset, you will receive an email with tips and information about what to do. If you do not hear anything, you were not among the victims of this network with that email address.”

This check will work for users who had their email address used as their username for WordPress login.

The investigation by the FBI Houston Field Office and the Netherland police is ongoing. 

The FBI along with eight other international law enforcement agencies are also investigating cybercriminal assets traced during Operation Talent that led to the seizure of five market places namely Cracked, Nulled, Starkrdp, Sellix, and MySellix.