Law enforcement seized the domains of HeartSender cybercrime marketplaces

U.S. and Dutch authorities seized 39 domains and servers linked to the HeartSender cybercrime group based in Pakistan.

A joint law enforcement operation led to the seizure of 39 domains tied to a Pakistan-based HeartSender cybercrime group (aka Saim Raza and Manipulators Team) known for selling hacking and fraud tools.

U.S. and Dutch authorities participated in the operation, the police seized the domains on January 29, 2025.

The HeartSender group has sold phishing tools to criminals since 2020, causing over $3 million in U.S. losses.

The Saim Raza group run multiple marketplaces that advertised and facilitated the sale of hacking and fraud tools, including malware, phishing kits and email extractors. These tools are essential components to build and run fraud operations. The cybercrime group also offered training to its customers on how to use the tools. The HeartSender group advertised its tools as “fully undetectable” by antispam software.

Cybercriminals used the seized domains to run BEC scams, stealing credentials and redirecting payments.

“The transnational organized crime groups and other cybercrime actors who purchased these tools primarily used them to facilitate business email compromise schemes wherein the cybercrime actors tricked victim companies into making payments to a third party. Those payments would instead be redirected to a financial account the perpetrators controlled, resulting in significant losses to victims.” reads the press release published by DoJ. “These tools were also used to acquire victim user credentials and utilize those credentials to further these fraudulent schemes. The seizure of these domains is intended to disrupt the ongoing activity of these groups and stop the proliferation of these tools within the cybercriminal community.”

KrebsOnSecurity first wrote about the Manipulaters in May 2015, the cybercrime group openly advertised on forums in 2015. By 2021, key members had founded WeCodeSolutions in Lahore, seemingly to legitimize their earnings from HeartSender. Employees inadvertently exposed their ties through social media. A 2023 report led to pleas for story removals, and Saim Raza claimed he was recently jailed but did not disclose details.

“The Manipulaters never seemed to care much about protecting their own identities, so it’s not surprising that they were unable or unwilling to protect their own customers. In an analysis released last year, DomainTools.com found the web-hosted version of Heartsender leaked an extraordinary amount of user information to unauthenticated users, including customer credentials and email records from Heartsender employees.” wrote KrebsOnSecurity. “Almost every year since their founding, The Manipulaters have posted a picture of a FudCo cake from a company party celebrating its anniversary.

DomainTools also uncovered evidence that the computers used by The Manipulaters were all infected with the same password-stealing malware, and that vast numbers of credentials were stolen from the group and sold online.”

​The Netherlands police set up a website that allows users to check whether their data was stolen by the HeartSender group.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, HeartSender group)