US and Dutch authorities dismantle 39 Domains used for selling stolen credentials

U.S. and Dutch law enforcement agencies have successfully dismantled 39 domains and their associated servers as part of a crackdown on online marketplaces involved in cybercrime. The joint operation, codenamed Operation Heart Blocker, targeted a group known as Saim Raza, AKA HeartSender, which has been operating since at least 2020.

A blow to the HeartSender cybercrime network

The network of fraudulent sites was responsible for advertising and distributing phishing toolkits, scam pages, and fraud-enabling tools to cybercriminals worldwide. According to the U.S. Department of Justice (DoJ), these tools were instrumental in business email compromise (BEC) schemes that resulted in over $3 million in financial losses to victims in the United States.

"The Saim Raza-run websites operated as marketplaces that advertised and facilitated the sale of tools such as phishing kits, scam pages, and email extractors, often used to build and maintain fraud operations," the DoJ said in an official statement.

Not only were these tools widely available on the open internet, but Saim Raza also provided instructional YouTube videos on how to use them, effectively training cybercriminals with little technical expertise. The DoJ further revealed that the phishing kits enabled criminals to harvest login credentials, which were then used in subsequent fraud schemes.

Dutch authorities confirm the crackdown

In a separate statement on their website, Dutch police officials confirmed that the criminal network sold various software programs that facilitated digital fraud. These programs enabled cybercriminals to launch large-scale phishing campaigns and steal login credentials from unsuspecting victims. Before its shutdown, the illicit service was estimated to have thousands of active customers.

The Manipulaters: An established cybercrime entity

The cybercrime group, also known as The Manipulaters, was first exposed by security journalist Brian Krebs in 2015. A subsequent report from DomainTools last year revealed operational security lapses, suggesting that several systems associated with the group had been compromised by stealer malware.

DomainTools noted that while the group may lack the technical sophistication of other large cybercrime vendors, its defining characteristic is its early adoption of a horizontally integrated business model, combining tool sales with training and support, while also operating multiple branded storefronts.

"Though lacking the technical sophistication many other large cybercrime vendors have, their most notable characteristic is being one of the earliest phishing-focused cybercrime marketplaces to horizontally integrate their business model while also spreading their operations across several separately branded shops," the company stated.

DomainTools also suggested the group has a physical presence in Pakistan, with members located in cities like Lahore, Fatehpur, Karachi, and Faisalabad.

Part of a broader crackdown

This takedown follows a similar operation, dubbed Talent, which occurred towards the end of January 2025, targeting online criminal marketplaces such as Cracked, Nulled, Sellix, and StarkRDP.

These coordinated actions demonstrate a growing international effort to combat the proliferation of online platforms that facilitate cybercrime.