Full Report
An international law enforcement operation has dismantled the domains associated with various online platforms linked to cybercrime such as Cracked, Nulled, Sellix, and StarkRDP. The effort has targeted the following domains - www.cracked.io www.nulled.to www.mysellix.io www.sellix.io www.starkrdp.io Visitors to these websites are now greeted by a seizure banner that says they were confiscated
Analysis Summary
# Incident Report: International Takedown of Major Cybercrime Forums
## Executive Summary
International law enforcement agencies, executing "Operation Talent," successfully dismantled and seized the domains of prominent cybercrime forums, notably Cracked and Nulled, along with associated services like Sellix and StarkRDP. The operation aimed to cripple hubs used by malicious actors to trade illegal goods, malware, and hacking tools, resulting in arrests, seizures, and the incapacitation of infrastructure estimated to have generated over €1 million in illicit profits.
## Incident Details
- Discovery Date: January 30, 2025 (Date of public announcement/seizure)
- Incident Date: Ongoing disruption through coordinated seizure operations.
- Affected Organization: Multiple underground cybercrime forums and affiliated services.
- Sector: Cybercrime Infrastructure / Online Hosting and Marketplace Services.
- Geography: Multinational operation involving Australia, France, Greece, Italy, Romania, Spain, and the United States, coordinated with Europol.
## Timeline of Events
### Initial Access
- Date/Time: Not specified (Ongoing operation leading up to seizure announcement).
- Vector: Law enforcement actions, resulting in domain confiscation.
- Details: Authorities initiated "Operation Talent" to disrupt key cybercrime platforms.
### Lateral Movement
- N/A (The incident revolves around law enforcement action, not hostile actor lateral movement within a target network).
### Data Exfiltration/Impact
- Impact: The seizure effectively shut down platforms used for trading stolen data, malware (like ScrubCrypt), hacking tools, and AI-based attack scripts.
- Estimated Monetary Impact: Forums generated approximately €1 million ($1.04 million).
### Detection & Response
- How it was discovered: Coordinated intelligence gathering leading to the execution of "Operation Talent."
- Response actions taken: Domain seizures ($www.cracked.io, $www.nulled.to, $www.mysellix.io, $www.sellix.io, $www.starkrdp.io$), two arrests, seven property searches, seizure of 17 servers and 50+ electronic devices, and appropriation of €300,000 in cash/crypto. Official seizure banners were placed on the domains.
## Attack Methodology
This section describes the infrastructure *used by* the cybercriminals, which was the target of the response operation:
- Initial Access: Not specified (Relates to how users accessed the criminal forums).
- Persistence: Maintaining forum infrastructure via associated hosting ($StarkRDP$) and payment processing ($Sellix$).
- Privilege Escalation: Not applicable to forum operation itself, but services offered tools for privilege escalation to users.
- Defense Evasion: Use of underground marketplaces for illicit trade.
- Credential Access: Forums were noted for facilitating the trade of stolen data.
- Discovery: Forums provided AI-based tools for automatically scanning security vulnerabilities.
- Lateral Movement: Not applicable to forum operation itself.
- Collection: Platforms were marketplaces for stolen data and stealer malware components.
- Exfiltration: Trade of exfiltrated data was facilitated.
- Impact: Lowering the barrier to entry for less-skilled attackers by providing tools and scripts.
## Impact Assessment
- Financial: Estimated €1 million ($1.04 million) in illicit profits seized/disrupted. Law enforcement seized €300,000 in cash/crypto.
- Data Breach: Forums were central hubs for trading stolen data (type and volume unspecified).
- Operational: Immediate shutdown of major cybercrime marketplaces ($Cracked$, $Nulled$) and associated critical services ($Sellix$, $StarkRDP$).
- Reputational: Positive impact for law enforcement; negative impact for the criminal community.
## Indicators of Compromise
*Note: As this is a law enforcement action against criminal infrastructure, no traditional C2 IoCs are provided, only the seized assets.*
- Network indicators: Seized domains: $cracked.io$, $nulled.to$, $mysellix.io$, $sellix.io$, $starkrdp.io$.
- File indicators: Mention of malware obfuscation engine $ScrubCrypt$.
- Behavioral indicators: Trade of stolen data, malware, and attack automation tools.
## Response Actions
- Containment measures: Immediate coordinated domain seizures worldwide.
- Eradication steps: Confiscation of associated servers (17 seized) and electronic devices (50+ seized).
- Recovery actions: Two suspects apprehended; seized funds controlled by law enforcement.
## Lessons Learned
- The interconnectedness of the cybercrime ecosystem (forums relying on specific processors like $Sellix$ and hosting like $StarkRDP$) makes dismantling operations more effective when targeting the entire supply chain.
- Law enforcement international cooperation (Europol + multiple nations) is critical for successfully dismantling borderless criminal forums.
- These forums significantly lower the barrier to entry for cybercrime by providing accessible tools and malware.
## Recommendations
- Continued robust international collaboration to identify and target the infrastructure supporting underground marketplaces.
- Enhanced monitoring of associated payment processors and hosting services known to support illicit activities.
- Develop and distribute countermeasures against the specific attack tools (like $ScrubCrypt$) and automated scanning scripts observed on these platforms.